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ABSTRACT 


Wireless  networking  is  a  rapidly  emerging  technology  and  security  must  be 
addressed  as  it  is  incorporated  into  new  and  existing  local  area  networks  (LANs).  It  is 
important  to  know  what  unique  properties  of  wireless  LANs  mi^t  amplify  existing  LAN 
vulnerabilities  or  introduce  new  ones. 

Wireless  transmission  techmques,  topologies,  and  vendor  offerings  were  surveyed 
from  a  security  perspective.  Three  rating  ^sterns  were  developed  to  analyze  aspects  of 
these  survey  areas.  These  areas  were  then  rated  using  these  systems  and  graphically 
displayed  on  Kiviat  drawings  to  show  symmetric  comparisons  of  each  analysis  category. 

Frequency  hopping  spread  spectrum  (FHSS)  transmission  technology,  cellular 
topology,  and  the  Jaguar  product  emerge  as  the  best  current  approaches  available.  These 
results  are  applied  to  a  case  study  that  examines  network  wired  segment  replacement 
options,  wireless  segment  attacks,  and  methods  to  detect  an  attacker.  Current  standards 
offer  guidance  that  dictate  how  wireless  technologies  must  operate,  but  do  not  relate  to 
principles  of  LAN  design.  Our  stu<iy  and  rating  system  results  provide  guidance  for 
creating  a  network  topology.  The  case  stucfy  demonstrated  that  care  must  be  taken  in 
choosing  wireless  network  segments.  This  work  should  help  ^stem  Administrators  by 
providing  examples  of  good  and  bad  choices. 
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I.  INTRODUCTION 


A.  WIRELESS  LOCAL  AREA  NETWORKS 

Wireless  local  area  networks  (WLANs)  are  a  new  alternative  to  traditional  hard 
wired  local  area  networks  (LANs).  They  use  radio  frequency  (RF)  or  infrared  (IR) 
transmissions  to  communicate  information  from  one  point  to  another  and  do  not  rely  on 
physical  connections.  A  typical  WLAN  configuration  includes  a  transceiver 
(transmitter/receiver)  called  an  access  point  (AP)  connected  to  the  wired  network  using 
standard  cabling.  An  access  point  antenna  is  mounted  anywhere  practical  to  obtain 
desired  coverage.  End  users  access  the  WLAN  through  adapters,  such  as  notebcwk  PC 
cards,  that  interface  between  the  client  network  operating  ystem  (NOS)  and  the  user. 

1.  Advantages  of  wireless  over  wired 

WLAN  technologies  have  been  available  since  1980,  but  the  increasing  number  of 
portable  computers  has  heightened  the  need  for  this  technology.  These  ystems  allow 
users  to  access  shared  information  without  physically  “plugging  into”  a  network,  so  LAN 
managers  can  set  up  or  augment  their  networks  without  installing  new  wires.  Advantages 
offered  by  WLANs  are  mobility,  low  installation  costs,  installation  speed,  and  scalability. 

a.  Mobility 

WLANs  can  provide  continuous  network  access  to  users  within  their 
organization  thus  supporting  productivity  not  possible  with  wired  networks.  People  can 
physically  move  their  node  (computer)  without  breaking  their  virtual  network 
connection.  This  will  be  termed  “roaming”. 

&  Lo-w  Installation  Costs 

WLANs  offer  an  advantage  over  wired  LANs  where  the  physical  makeup 
of  a  building  makes  it  difficult  to  route  wire.  Not  routing  wire  yields  lower  installation 
costs  and  quicker  setup  times.  Overall  life-cycle  costs  are  also  lowered,  because  there 
are  fewer  cables  to  replace  during  future  upgrades. 
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c  Installation  Speed 

Installing  a  wireless  LAN  ^stem  is  faster  than  installing  a  hard  wired 
^stem.  The  need  to  pull  wire  throu^  walls  and  ceilings  is  eliminated.  Small 
transceiver  type  devices  are  attached  to  mobile  users  and  the  network  effectively  linking 
^stem  resources.  Wireless  technology  allows  the  network  to  go  where  wire  cannot  go. 

d.  Scalability 

Hardware  peripherals  can  be  added  to  the  network  to  serve  additional 
wireless  clients.  Once  the  number  of  clients  reach  their  maximum,  extra  APs  and 
extension  points  can  be  installed  to  acconunodate  these  users. 

2.  Department  of  Defense  Applications 

Wireless  technology  can  be  used  in  Department  of  Defense  (DoD)  applications. 
Wireless  networks  can  be  used  in  combination  with  cabled  LANs:  machines  requiring 
mobility  are  connected  wirelessly,  while  others  remain  hard  wired.  Wireless  computing 
has  the  potential  to  reduce  costs  of  routing  and  maintaining  cable  and  associated 
hardware  peripherals.  It  can  also  be  configured  in  a  variety  of  topologies  to  meet  specific 
application  needs.  These  topologies  range  from  peer-to-peer,  suitable  for  a  small  number 
of  users,  to  full  infrastructures  encompassing  thousands  of  users.  WLANs  frequently 
augment,  rather  than  replace,  wired  LANs,  often  providing  the  final  few  meters  of 
connectivity  between  a  wired  network  and  the  mobile  user. 

B.  PROBLEM  STATEMENT 

Protecting  WLANs  from  attack  by  malicious  hackers  and  unauthorized  users  is  a 
problem.  Architectural  considerations  for  the  inclusion  of  wireless  components  into  hard 
wired  networks  must  be  addressed.  Administrative  security  and  the  protection  of  data 
should  be  considered  during  initial  tystem  planning. 

C.  THESIS  OVERVIEW 

Flexibility  and  mobility  make  wireless  LANs  both  effective  extensions  to  and 
attractive  alternatives  for  wired  networks.  WLANs  provide  all  of  the  connection 
functionality  of  wired  LANs  without  the  spatial  constraints  of  a  physically  wired  system. 
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Their  configurations  range  from  simple  peer-to-peer  topologies  to  complex  architectures 
all  offering  the  benefits  of  roaming.  They  offer  both  end-user  mobility  and  network 
portability. 

Security  within  information  systems  is  vital  to  protecting  data  against  exploitation 
from  outside  sources.  DoD  WLAN  goals  can  be  addressed  by  first  understanding 
available  technologies  and  how  they  may  be  used  securely,  and  then  choosing  appropriate 
vendors  to  supply  the  equipment. 

Available  wireless  technologies  will  be  examined  to  better  understand  how  their 
use  might  increase  the  threat  to  security.  An  evaluation  of  their  advantages  and 
disadvantages  will  show  their  architectural  strengths  and  weaknesses.  These 
technologies  encompass  multiple  transmission  techniques,  general  security  differences, 
and  applicable  standards.  A  final  evaluation  narrows  the  field  of  possible  topology  and 
vendor  candidates  suitable  for  DoD  architectures. 

This  paper  will  survQ^  various  technologies  used  to  build  WLANs  in  Chapter  Two 
and  how  WLANs  can  be  protected.  Types  of  attacks  and  methods  to  combat  them  are 
explored  in  Chapter  Three,  culminating  in  an  analytical  survey  of  acceptable  WLAN 
component  combinations  in  Chapter  Four.  This  information  provides  the  basis  for  a  case 
stu(ty,  also  in  Chapter  Four,  of  a  typical  LAN  found  at  the  Naval  Postgraduate  School.  It 
shows  the  options  available  for  replacing  hard  wired  segments  with  wireless.  Chapter 
Five  presents  final  conclusions  and  discussions. 


3 


n.  BACKGROUND 


Hard  wired  LANs  are  used  for  sharing  computer  resources  and  providing 
connectivity.  The  WLAN  provides  an  alternative  to  traditional  twisted  pair,  coaxial 
cable,  and  optical  fiber  based  networks.  WLANs  perform  the  same  function  as  wired 
LANs  by  conveying  information  among  networked  devices,  but  operate  without  attached 
physical  cabling  between  nodes.  TTiq^  can  be  implemented  as  an  extension  to,  or  an 
alternative  for,  a  wired  LAN.  WLANs  use  radio  frequency  (RF)  and  Infrared  (IR) 
technology  for  intercomponent  communication.  They  minimize  the  need  for  wired 
connections  and  combine  data  connectivity  with  user  mobility.  This  ch^ter  will  show 
the  transmission,  topology,  and  vendor  technologies  available  to  build  a  WLAN. 

A.  TECHNOLOGY  OVERVIEW;  WIRELESS  TRANSMISSION 

TECHNIQUES 

Wireless  LANs  were  introduced  in  1980.1  Transmission  types  include 
narrowband  microwave,  infrared,  or  spread  ^ectrum  technologies.  Each  technology  has 
its  advantages  and  limitations.  They  are  described  below. 

1.  Narrowband  Microwave 

During  radio  frequenq^  transmissions,  RF  data  is  superimposed  (modulated)  onto 
an  outgoing  radio  carrier  and  then  extracted  at  the  receiving  end.  The  radio  receiver 
tunes  in  one  radio  frequency  while  rgecting  all  others.  Multiple  radio  carriers  can 
coexist  without  interference  if  the  signals  are  transmitted  at  different  frequencies. 
Narrowband  radio  ^sterns  transmit  and  receive  information  on  specific  radio  frequencies 
and  are  used  to  interconnect  LANs  between  buildings.  They  require  line-of-sight  antenna 
dishes  on  both  ends  of  the  link.  The  transmitter  encodes  an  input  signal  that  is  mixed 
with  a  constant  frequency  known  as  the  "carrier".  The  receiver  filters  out  this  carrier 
signal  to  recover  the  original  data.  Narrowband  radio  keeps  the  signal  frequency  within  a 
small  specified  range.  Undesirable  crosstalk  between  communications  channels  is 

ISami  Uskela ,  in  Wireless  Local  Area  Nelwo'ks 

1 10.50 1/  1997/wirdess_lan  Jitml#Integntyan<iConfidaitiality) 


5 


avoided  by  carefully  coordinating  different  users  on  different  channel  frequencies. 
Communication  privacy  and  noninterference  are  accomplished  by  using  separate  radio 
frequencies.  The  radio  receiver  filters  out  all  radio  signals  except  those  on  its  designated 
frequency.2 


a.  A  dvantages 

Narrowband  microwave  radio  antennas  bypass  telephone  company  lines, 
so  the  cost  of  phone  line  service  is  avoided.  The  antenna  itself  costs  very  little,  but  prices 
vary  depending  on  size  and  wattage  requirements.  Unlike  IR,  its  signal  is  not  easily 
blocked  by  physical  structures. 

b.  Disadvantages 

Narrowband  technology  is  susceptible  to  interference  and  is  therefore 
individually  licensed  by  the  FCC  to  prevent  other  systems  from  operating  at  the  same 
frequency  in  a  particular  area.  Once  a  site  license  is  granted  that  frequency  band  cannot 
be  licensed  anywhere  else  within  a  17.5  mile  radius.  Also,  if  the  frequency  is  known  to  a 
third  party,  communications  can  be  intercepted. 

2.  Infrared 

Infrared  uses  the  same  technology  as  television  remote  control  emits.  IR  signals 
transmit  data  between  nodes  using  either  a  point-to-point  or  a  sim-and-moon 
configuration  (signals  are  diffused  by  reflecting  them  off  of  a  surface).  IR  ^sterns  use 
very  high  frequencies  j  ust  below  those  of  visible  light  in  the  electromagnetic  spectrum. 
Like  light,  IR  cannot  penetrate  opaque  dgects.  It  is  either  directed  (line-of-sight)  or 
reflected.^ 


^Proxim,  What  is  a  J?^efes5Z./4iy.^(http  //www.wirelesslan.com/wirelessO. 
3  Ibid. 
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a.  Advantages 


IR  is  not  bandwidth  limited  and  can  be  used  to  transmit  at  speeds  greater 
than  50  Mbps.  Range  security  is  inherent  due  to  its  inability  to  penetrate  solid  obj  ects. 
IR  also  does  not  require  an  FCC  license. 

b.  Disadvantages 

Infrared’s  easy  obstruction  also  acts  as  a  disadvantage  wiien  installed  in  a 
space  with  many  obstacles.  Similarly,  its  limited  range  acts  as  a  disadvantage  when  the 
WLAN  is  needed  over  a  large  area.  Inexpensive  tystems  provide  approximately  three 
feet  of  coverage  and  are  typically  used  for  personal  area  networks.  High  performance  IR 
is  impractical  for  mobile  users  and  is  therefore  used  in  fixed  sub-networks.  Diffused 
(reflected)  IR  does  not  require  line-of-sight,  but  cells  are  limited  to  individual  rooms. 

3.  Spread  Spectrum 

Most  wireless  LANs  use  q)read-spectrum  technology.  It  is  a  wideband  RF 
technique  developed  by  the  military  for  reliable,  secure,  mission-critical  communications 
systems.  It  was  initially  created  to  avoid)  amming  and  eavesdropping  of  signals.  Spread 
spectrum  exchanges  bandwidth  efficiencty  for  reliability,  integrity,  and  security.  It 
spreads  the  signal  over  a  range  of  frequencies  consisting  of  the  industrial,  scientific,  and 
medical  (ISM)  electromagnetic  spectrum  bands.  It  avoids  concentrating  power  into  a 
single  narrow  frequency  band.  This  “spreading”  makes  the  signal  appear  like  noise 
making  the  signal  bandwidth  much  larger  than  that  of  the  original  signal.  More 
bandwidth  is  consumed  than  in  a  narrowband  transmission,  but  the  tradeoff  produces  a 
louder  signal  that  is  easier  to  detect.  Spread  spectrum  frequency  bands  include  frequency 
ranges  at  902  MHz  to  928  MHz  and  2.4  GHz  to  2.484  GHz.  The  2.4  GHz  range  is 
available  worldwide  which  provides  convenient  high  speed  wireless  capabilities  to  users. 
The  FCC  regulates  the  frequency  band  used  by  spread  spectrum,  but  does  not  require 
individual  licensing  for  local  coverage  areas.  Products  developed  for  xmlicensedFCC  use 
must  employ  one  of  the  two  spread  spectrum  technologies;  frequency  hopping  and  direct 
sequence.'^ 


^Ibid. 
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(L  Frequency  Hopping  Spread  Spectrum 

Frequency  hopping  spread  spectrum  (FHSS)  transmits  short  radio  bursts 
on  one  frequency  then  randomly  "hops"  to  another  for  the  next  short  burst.  The  carrier 
signal  changes  frequency  in  a  pattern  known  to  both  transmitter  and  receiver.  The 
transmission  source  and  destination  must  also  be  ^nchronized,  so  they  are  on  the  same 
frequency  simultaneously.  A  transmitted  message  can  only  be  fully  received  if  the  series 
of  frequencies  is  known,  because  only  the  intended  receiver  knows  the  transmitters 
hopping  sequence.  To  an  unintended  receiver,  FHSS  appears  to  be  short-duration 
impulse  noises.  Any  radio  with  a  digitally  controlled  frequency  qmthesizer  can  be 
converted  to  a  frequency  hopping  radio.  This  conversion  requires  the  addition  of  a 
pseudo  noise  (PN)  code  generator  to  select  the  frequencies  for  transmission  or  reception. 
Most  hopping  ^sterns  use  uniform  frequency  hopping  over  a  band  of  frequencies.  This 
is  not  absolutely  necessary  if  both  the  transmitter  and  receiver  know  in  advance  what 
frequencies  are  to  be  skipped.  A  frequency  hopped  system  can  use  analog  or  digital 
carrier  modulation.  Most  vendors  develop  their  own  hopping-sequence  algorithms  which 
significantly  reduces  the  likelihood  that  two  transmitters  will  not  hop  to  the  same 
frequency  at  the  same  time.^ 

1) .  Federal  Communication  Commission  Guidelines. 

Hopping  patterns  and  dwell  times  (time  at  each  frequency)  are  restricted.  The  Federal 
Communication  Commission  (FCC)  requires  that  75  or  more  frequencies  be  used  at  a 
maximum  dwell  time  of  400  ms.  If  interference  occurs  on  one  frequency  the  data  are 
retransmitted  on  a  subsequent  hop  to  another  frequency^.  Each  chaimel  consists  of  a 
frequency  width  also  determined  by  the  FCC.  They  require  that  all  transmitters  not  spend 
more  than  0.4  seconds  on  any  one  channel  every  20  seconds  in  the  902  MHz  band  and 
every  30  seconds  in  the  2.4  GHz  band.  They  fiuther  require  that  transmitters  hop  throu^ 
at  least  50  channels  in  the  902  MHz  band  and  75  chaimels  in  the  2.4  GHz  band. 

2) .  IEEE  802.11.  IEEE  802.11  limits  frequency  hopping 

spread  spectrum  transmitters  to  the  2.4-GHz  band. 

3) .  The  market  for  frequency  hopping  spread  spectrum. 

All  FHSS  products  allow  the  use  of  more  than  one  chaimel  in  the  same  area  by 


^  Ibid. 
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implementing  separate  channels  on  different  hopping  sequences.  This  allows  for  many 
non-overlapping  channels. 

b.  Direct  Sequence  Spread  Spectrum  (pseudonoise) 

Direct  sequence  spread  spectrum  (DSSS)  avoids  excessive  power 
concentration  by  spreading  the  signal  over  a  wider  frequaicy  band.  The  data  signal  is 
modified  by  a  wideband  spreading  signal  that  the  receiver  interprets  to  obtain  the  original 
signal.  DSSS  transmitters  spread  their  signal  by  mapping  data  into  a  pattern  of  "chips” 
called  chipping  codes  and  then  add  these  redundant  data  bits  to  the  transmission.  At  its 
destination  the  chips  are  mapped  back  into  bits,  recreating  the  original  data.  The  longer 
the  chip,  the  greater  the  probability  of  data  recoverability  and  the  more  bandwidth 
required.  If  one  or  more  bits  in  the  chip  are  damaged  during  transmission,  statistical 
techniques  embedded  in  the  receiver  can  recover  the  original  data.  To  an  unintended 
receiver,  DSSS  appears  as  low-power  wideband  noise  and  is  ignored.  The  ratio  of  chips 
to  bit  is  called  the  "spreading  ratio".  A  high  spreading  ratio  increases  the  resistance  of 
the  signal  to  interference.  A  low  spreading  ratio  increases  the  net  bandwidth  available  to 
a  user.  Overall  these  spreading  ratios  are  quite  small  and  most  2.4  GHz  product 
manufacturers  offer  a  spreading  ratio  of  less  than  20.  Like  FHSS,  a  DSSS  receiver  must 
know  a  transmitters  spreading  code  to  decipher  data.  This  spreading  code  allows 
multiple  direction  transmitter  operation  simultaneously  without  interference.  Once  the 
receiver  has  the  entire  signal,  it  removes  the  chips  with  a  correlator  and  collapses  the 
signal  to  its  original  length.^ 

1) .  Federal  Communication  Commission  Guidelines 

The  FCC  requires  that  each  signal  have  ten  or  more  chips  limiting 
data  throu^put  to  2  Mbps  in  the  902  MHz  band  and  8  Mbps  in  the  2.4  GHz  band.  The 
number  of  chips  is  directly  related  to  a  signal's  immunity  to  interference  meaning  some 
throu^put  is  sacrificed  to  avoid  interference. 

2) .  IEEE  802.11 

IEEE  802. 1 1  imposes  a  standard  of  precise^  1 1  chips  for  DSSS  as 
opposed  to  the  FCC’s  requirement  of  10  or  greater. 

3) .  The  Market  for  frequency  hopping  spread  spectrum 


6  Ibid. 
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DSSS  products  allow  more  than  one  channel  in  the  same  area. 
The  2.4  GHz  band  is  separated  into  several  sub-bands,  each  containing  an  independent 
DSSS  network.  DSSS  truly  spreads  across  the  spectrum,  so  the  number  of  independent 
(i.e.  non-overlapping)  channels  in  the  2.4  GHz  band  is  small.  The  maximum  number  of 
independent  channels  for  any  DSSS  implementation  is  three. 

B.  TECHNOLOGY  OVERVIEW ;  WIRELESS  TOPOLOGIES 

A  "network  topology"  is  a  set  of  workstations  that  communicate  with  one  another. 
It  is  the  architectural  drawing  of  the  physical  configuration  that  represents  the  network. 
At  its  most  basic,  two  personal  computers  (PCs)  equipped  with  wireless  adapter  cards 
can  initiate  an  independent  network  when  within  range  of  one  another.  This  is  called  a 
peer-to-peer  network  (Figure  1)  and  requires  no  administration  or  pre-configuration. 
Each  PC  would  only  have  access  to  the  resources  of  the  other  and  not  to  a  central  server. 


Figure  1;  A  Wireless  Peer-to-Peer  Network'^ 


Installing  a  hard  wired  access  point  (AP)  extends  the  range  of  a  peer-to-peer 
network  (Figure  2).  The  AP  provides  client  access  to  server  resources  as  well  as  to  other 
clients.  Each  AP  can  accommodate  many  clients  dependent  upon  the  amount  and  nature 
of  the  transmissions. 


7  Ibid. 
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Figure  2 :  Client  and  Access  Point* 


Access  points  have  a  finite  range,  so  it  may  be  necessary  to  install  multiple  APs  in 
large  facilities  (Figure  3).  AP  positioning  is  determined  by  a  site  surv^.  The  goal  is  to 
blanket  the  coverage  area  with  overlapping  cells,  so  that  users  can  seamlessly  roam 
throughout  the  area  without  losing  network  contact.  APs  invisibly  hand  the  user  off  from 
one  cell  to  another  ensuring  unbroken  coimectivity. 


Figure  3 :  Multiple  Access  Points  and 
Roaming^ 


To  solve  extended  range  problems.  Extension  Points  (EPs)  augment  the  network 
(Figure  4).  EPs  function  like  APs,  but  are  not  tethered  to  the  wired  network.  Th^ 


*Ibid. 
9  Ibid. 
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extend  the  range  of  the  network  by  relaying  signals  from  a  client  to  an  AP  or  another  EP. 
EPs  may  be  strung  together  to  link  an  AP  to  far  away  clients. 


Figure  4 :  Extension  Point  Providing 
Coverage  Between  APs  and  Mobile  Users 

A  directional  antenna  extends  the  WLAN  range  to  other  buildings.  If  a  WLAN  in 
building  “A”  is  to  be  extended  to  building  “B”  one  mile  away,  a  directional  antenna  can 
be  installed  on  each  building.  Both  antennas  are  connected  to  WLANs  within  then- 
buildings  enabling  wireless  LAN  connectivity  throughout  the  facility  (Figure  5). 


Figure  5;  The  Use  OfDirectional  Antennas^i 


Using  these  examples  as  building  blocks,  WLAN  topologies  can  be  divided  into 
four  distinct  categories  based  on  the  presence  or  absence  of  a  network  infrastructure. 


10  Ibid. 

11  Ibid. 
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1.  Ad  Hoc 


Ad  Hoc  networks  contain  mobile  workstations  that  are  wirelessly  connected  and 
have  no  wired  infrastructure.  Th^  consist  of  two  categories: 

a.  Ad  Hoc  without  centralized  control 

Figure  (6)  is  an  Ad  Hoc  network  without  centralized  control  wdiere 
stations  send  packets  directly  to  each  other.  Access  control  is  difficult,  because 
unauthorized  stations  can  j  oin  the  network  with  no  authentication.  Additionally,  this 
network  is  difficult  to  maintain  in  large  facilities  due  to  range  restrictions. 


Figure  6:  Ad  Hoc  Without  Centralized 
Control^ 

b.  Ad  Hoc  with  centralized  control 

In  Figure  (7),  the  centralized  control  station  is  called  the  Base  Station  (BS) 
through  which  all  stations  communicate  wirelessly.  Commimication  between  mobile 
stations  is  allowed  if  restricted  access  is  not  imposed  by  the  BS.  A  problem  can  arise  if 


^  Saraswati  Balakridma,  iVe<M'or)t  Tqpologiesin  Wireless  LANs, 
(http  y/www  .cs.umbc.edu/~sbalakl/Ian2.htiiil,  December  1995). 
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one  station  drifts  out  of  range.  The  BS  is  designed  to  recognize  such  "drift"  and  relays  a 
warning  message  to  each  mobile  unit.  Centralized  control  provides  better  security, 
because  the  BS  enforces  access  control  for  the  mobile  units.  The  level  and  strength  of 
this  control  is  dependent  upon  the  operating  ^stem  used  in  the  network. 


Centralized  Control 


2.  Cellular 

Cellular  networks  contain  mobile  sub-networks  that  access,  either  through  wired 
or  wireless  connections,  a  base  station  that  is  attached  to  another  sub-network  (Figure  8). 
A  mobile  network  can  only  access  one  BS  at  a  time  and  the  BS  advertises  which  mobile 
stations  are  associated  with  it.  When  users  roam,  a  mobile  unit  may  associate  itself  with 
another  BS  creating  overlapping  BS  coverage  areas  (as  in  Cell  A  &  Cell  B).  When  this 
happens  the  two  BSs  negotiate  between  themselves  and  decide  which  will  assume  control 
of  the  mobile  unit. 
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Figure  8:  Cellular 


3.  Non-Cellular 

Non-cellular  networks,  shown  in  Figure  (9),  are  similar  to  cellular  ones,  because 
mobile  stations  gain  access  to  a  wired  network  through  BSs.  Unlike  the  single  BS 
communications  in  cellular  networks,  mobile  units  can  simultaneously  communicate 
with  multiple  BSs  increasing  commimication  efGcienQr.  Direct  communication  between 
mobile  units  is  not  possible,  because  there  is  no  method  for  one  mobile  imit  to  locate 
another.  There  is  also  no  way  for  the  system  to  know  which  BS  is  responsible  for  which 
mobile  unit .  Most  WLAN  s  use  the  Cellular  topology  for  access  to  wired  media. 


W  Ibid. 
^  Ibid. 
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4. 


Personal  Area  Networks 


A  personal  area  network  (PAN)  is  used  when  a  small  group  of  computers  require 
access  to  a  set  of  peripherals  (Figure  10).  Computers  are  termed  the  masters  and 
peripherals  the  slaves.  Slaves  respond  to  commands  from  the  masters.  PANs  exist  in  a 
small  geographic  area  such  as  an  office  and  are  relatively  easy  to  manage. 


Figure  10 :  Personal  Area  Networks 


C.  TECHNOLOGY  OVERVIEW :  VENDORS 

The  wireless  market  is  crowded  with  hardware  products  that  enhance  WLAN 
capabilities.  Several  vendors  provide  complete  WLAN  networking  ^sterns  with 
customized  services  and  capabilities. 

1.  Air-I/O 

TTv>r 

Telxon  Air-I/O  (Figure  11)  spread  spectrum  WLANs  provide  office-based 
commimication  coverage  with  data  rates  up  to  2  Mbps.  It  is  802.11-compliant  and  is 
offered  in  both  FHSS  and  DSSS.  Telxon's  AirAware^  Wireless  Software  provides 


Ibid. 
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connectivity  and  management  tools  for  the  Air-I/0  WLAN.  AirAware’s  management 
tools  include  AirVision™,  AirBeam™,  AirGate™  and  AirVU™,  each  of  which  is 
described  below. 


Figure  ll;Air-FOi* 


a.  A  ir  Vision 

AirVision  helps  the  user  monitor  and  manage  information.  Its  benefits 
include  remote  monitoring,  analysis,  fault  identification,  and  performance  management. 
AirVision  also  provides  a  wired  network  administrator’s  management  tool  that  monitors 
standard  terminal  connections  to  wireless  devices. 

T^oa,Airware S^tware,  (httpy/www.tekon.coin/pandtech/wirelessnet/wireless-soft,  1998). 

Ibid. 

T^oa,Airware  S(f  Iware,  (httpy/www.telxon.coni/pandtech/wirelessnet/wireIess-soft/airvision.a^, 
1998). 
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b.  A  irBeam 

AirBeam  automates  the  updating  and  distribution  of  mobile  client 
software.  It  is  a  set  of  client-resident  executables  and  API  Libraries  functioning  as  a 
standalone  utility  on  each  workstation.  AirBeam  tracks  the  application  software  resident 
in  wireless  mobile  units  and  automatically  manages  software  updates  as  th^^  occur. 
These  updates  occur  transparently  through  RF  signals.20 

c.  AirGate 

AirGate  provides  wireless  gateway  application  server  software.  It  uses  a 
three-tier  client  server  architecture  with  a  gateway  application  server  placed  between  the 
wireless  client  and  connected  hosts.  Client  devices  communicate  with  the  server  which 
communicates  with  data  sources  and  applications  on  behalf  of  the  client  .21 

d  AirVU 

AirVU  provides  standard  terminal  connection  to  wireless  devices.  It  uses 
TCP/IP  for  direct  session  communication  on  host  ^sterns  thereby  not  requiring  a 
controller  or  gateway  server.  AirVU  can  also  be  loaded  on  handheld  devices  providing 
services  without  restricting  the  devices  other  uses.22 

2.  Jaguar 

Jaguar’s  3 .2  Mbps  WLAN  for  Ethernet  (Figure  12)  uses  FHSS  and  offers: 

•  3 .2  Mbps  data  rate. 

•  Equalization  that  reduces  retransmission’s  and  improves  throughput. 

•  Compact  designs  and  miniaturized  dual  internal  antenna  systems  that  are  fully 
embedded  into  the  WLAN  PC  Card  adapter. 


20  Telxon,y4/n»'are  Srftware,  (http^/www .tekon.com/pandtech/wirelessnet/wireless-soft/airbeam.asp, 

1998). 

2 1  Tekon,y4/rH'are  Stftware,  (http //www .tekon.com/pandtech/wirelessnet/wireless-soft/airgate.aq),  1998). 

22  T^oT[,Airwcire  S(f  tware,  (http //www .tekon.com/pandtech/wirelessnet/wireless-soft/airvu .asp,  1998). 
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•  PC  Card  Link  Status  Indicator  that  tells  the  user  when  the  mobile  unit  is 
within  range  of  an  AP  and  the  received  data  rate  performance. 

•  Wireless  LAN  cell  hand-offs  . 


Jaguar  products  are  “plug  and  play”  operating  in  the  unlicensed  2.4  GHz 
frequency  band.  It  cfynamically  selects  between  two  digital  modulation  techniques, 
QPSK  and  16QAM,  to  deliver  the  maximum  data  rate  possible.  In  QPSK  mode.  Jaguar 
delivers  a  raw  data  rate  of  1.6  Mbps  and  user  data  throughput  of  1. 1  Mbps.  In  16QAM 
mode,  it  delivers  a  raw  data  rate  of  3 .2  Mbps  and  a  maximmn  user  data  throughput  of  2 .2 
Mbps.23 


Figure  12:  Jaguar’s  3.2  Mbps  Wireless  LAN^^ 


Jaguar  is  hub-based  using  a  WLAN  AP  that  provides  the  interface  to  a  wired 
Ethernet.  This  AP  can  also  serve  as  a  field  BS  allowing  virtual  "networking"  without  a 
hard  wired  connection  to  the  Ethernet.  It  provides  a  maximum  open  air  coverage  area  of 
1,500  meters.  The  maximum  coverage  area  for  a  cell  is  determined  by  the  type  of 
obstructions  the  radio  signals  pass  through,  the  noise  environment,  and  height  above 
groxmd.  These  APs  can  also  use  one  of  78  different  hopping  patterns  providing 


23  Jaguar,£cApa7»e/ire  Wireless  LAN,  JAGUAR:  3.2  Mbps  Wireless  LAN  for  Ethernet, 
(http y/www .agerd.ro/produse/wirdessjaguar_topo.html,  September  1998). 

2“^  Ibid. 
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maximum  flexibility  for  network  expansion.  Each  WLAN  cell  supports  up  to  62  users 
with  load-balancing  capabilities  that  automatically  distribute  these  users  among  various 
overlapping  cells.  Jaguar  can  support  up  to  15  overlapping  cells  before  data  rate 
performance  degrades.  If  cells  do  not  overlap,  network  extension  is  indefinite  (Figure 
13). 


Figure  13 :  Jaguar  Access  Point  Configuration^^ 


3.  WaveLyNX  BR132^** 

WaveLyNX  BR 132  is  an  Ethernet  WLAN  bridge  ^stem  that  supports  a  point-to- 
point  topology.  It  establishes  dedicated  connections  between  two  LANs.  BR132 
supports  3.2  Mbps  up  to  six  miles  and  a  2.4  Mbps  user  throughput  to  a  maximiun  single¬ 
hop  range  of  20  miles.  In  noi^  environments,  it  automatically  falls  back  to  1.6  Mbps 
and  links  over  20  miles  are  supportable  using  a  repeater.  BR132  uses  WaveAccess’ 
Adaptive  Equalization  (ADEQ)™  technology  as  well  as  Quadrature  Phase  Shift  Keying 
(QPSK)  and  16  quadrature  amplitude  modulation  (QAM)  modulation,  rather  than  simple 
frequent^  shift  keying  (FSK).  ADEQ  allows  more  effective  operation  in  noi:^  multipath 
environments.  BR  132s  are  deployed  in  pairs  and  are  pre-configured  as  master  and  slave 
with  factory  default  hopping  pattern  settings  for  “out-of-the-box”  operation.  Each 
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BR 132  also  comes  with  a  pair  of  standard  2  dBi  gain  antennas  which  are  used  for  simple 
communication  links  between  LANs.  Actual  link  speeds  are  determined  by  the  distance 
covered,  antenna  type,  cable  type,  and  cable  length  (Figure  14).26 


3.2  Mbps  -  6  miles 
■ — ^ ^ ^ — » 
1.6  Mbps  •  SMI  miles 


BR132  BR132 


Figure  14 :  WaveLyNX  BR  13227 

4.  NetWeaver 

NetWeaver  is  a  high-performance,  digital,  point-to-multipoint  data 
communication  tystem  that  provides  high-speed  wireless  networking.  It  operates  at  2.4 
GHz  FHSS  offering  full-duplex  operation  within  each  channel  scaleable  to  3.2  Mbps.  It 
has  a  variable  range  to  a  maximum  of  10  miles  (Figure  15).28 


26  WavdLyNX,£cApa7wente  Wireless  LAN:  WaveLyNX  BR  132  Network  Tq>ology, 
(httpy/www.agerd.ro/produse/wirdess/lynx_topo.htinl,  September  1998). 

27  Ibid. 

28  VI iN^yHX,NetWeaver:Metrq>olitanMultpomt Internetworking  ^sterns, 
(httpy/www.agerdjo/produse/wireless^netweaver_i^ecjitml,  September  1998). 
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Figure  15:NetWeaver29 


NetWeaver  is  based  on  a  hub  and  spoke  topology.  It  uses  Central  Unit  (CU) 
modems  that  each  support  a  single  3.2  Mbps  or  1.6  Mbps  channel  with  links  supporting 
up  to  62  wireless  remote  site  radio  modems.  CUs  access  the  Internet  via  a  wired  or 
wireless  backbone  and  offer  two  digital  wireless  modem  models: 

•  SDR  132  Single  Drop  Remote  that  supports  a  single  desktop  compirter  via  a 
lOBase-T  port  through  the  computer's  Ethernet  card,  or  a  LAN  connection  via 
a  router. 

•  MDR 132  Multi  Drop  Remote  that  supports  full  802 .3  bridging. 

NetWeaver  remote  wireless  modems  use  full-duplex  outdoor  directional 

antennas.  As  network  bandwidth  requirements  increase,  additional  CU  channels  can  be 
added:  up  to  10  channels  per  base  station.  CU  modules  also  support  both  omni¬ 
directional  and  directional  antenna  arrays,  ensuring  that  multiple  BSs  can  be  arranged  for 
nearly  unlimited  scalability  (Figure  16). 


29  Ibid. 
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NetWea¥er  Network 

Multi-CD'  TopoIogy^ 


Centra!  [[I;— ^^^BBtral  Unit  2 


Figure  16;NetWeaverCUTopology3<^ 


NetWeaver  cells  can  be  augmented  or  interconnected  by  WaveLyNX  and 
NetWeavers  MDR132  digital  modems  can  interface  with  the  3.2  Mbps  WaveAccess 
Jaguar  WLAN.  This  allows  for  reliable  indoor  roaming. 


30  Ibid. 
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m.  SECURITY  CONCERNS  FOR  WIRELESS 


Security  for  all  network  types  is  important.  Disgruntled  former  employees, 
Internet  hackers,  and  industrial  spies  are  all  possible  network  attackers.  How  they  might 
use  WLANs  is  discussed  in  this  chapter. 

A.  GENERAL  SECURITY  LEVELS 

Security  levels  in  wireless  communication  channels,  grouped  from  most  secure  to 
least  secure,  are  defined  as: 

•  Secure  Military  Systems  (JTIDS,  MILSTAR,  GPS):  Wireless  military 
communication  ^sterns  are  used  for  electronic  warfare  (EW),  electronic 
countermeasures  (ECM),  and  electronic  counter-counter  measures  (ECCM). 
Some  military  ^sterns  can  counteract  jamming  (denial  of  access),  spoofing, 
and  detection  using  antij  am,  anti-spoofing,  and  low-probability-of-intercept 
methods. 

•  Secure  Public  Systems:  Secure  public  ^sterns  provide  authentication  and  data 
encryption,  but  other  general  security  issues  are  not  addressed. 

•  Unsecured  Public  Systems  (POTS,  AMPS,  Two-Way  FM,  Broadcast):  Plain 
old  telephone  service  (POTS),  broadcast,  and  cellular  phones  are  imsecured. 
Advanced  mobile  phone  service  (AMPS-Cellular)  is  protected  by  regulations 
against  eavesdropping,  but  this  is  imenforceable.^  ^ 

1.  Secure  Military  Systems 

Modem  military  forces  depend  on  sophisticated  radio  communication  and 
navigation  ^sterns.  An  enemy  can  employ  ECM  to  detect  these  radio  signals  and  either 
dismpt  or  exploit  them.  Dismption  is  accomplished  by  jamming  and  exploitation  by 
using  transmissions  for  their  intelligence  value.  Prior  to  development  of  transmission 
security,  it  was  possible  to  gather  intelligence  from  signals  by  demodulating  and 
decoding  them.  For  some  i^stems  it  is  also  possible  to  "spoof  or  provide  false 


Steve F.  Russell,  Channel  Security  Tutorial 

(http://www.eejastate.edu/~wireless/security/w_tut_lJitnil,  Iowa  State Univer^,Fd)ruary  1997). 
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infonnation  (counter-intelligence).  A  diagram  of  these  ECM  techniques  is  shown  in 
Figure  (17). 


Figure  17;  Electronic  Warfare  Overview  for  Military  Systems^^ 


Alternate  terminologies  that  describe  ECCM  concepts  include  Low  Probability  of 
Detection  (LPD),  Low  Probability  of  Exploitation  (LPE),  and  Low  Probability  of 
Intercept  (LPI).  LPD  prevents  the  enemy  from  detecting  a  radio  transmission  and 
minimizes  power  spectral  density  and  detectability.  LPE  prevents  the  exploitation  of 
signals  by  decoding,  spoofing,  or  position  monitoring.  It  denies  the  enemy  knowledge  of 
the  :^stem,  its  modulation  characteristics,  its  use,  and  its  users.  LPI  encompasses  both 
LPD  and  LPE  and  is  a  generic  term  from  which  the  term  “anti-intercept”  is  derived. 

2.  Secure  Public  Systems 

The  typical  public  WLAN  ^stem  is  shown  in  Figure  ( 18).  The  public  network 
(Internet)  and  the  private  network  (imiversity)  are  usually  not  secure.  The  private 
network  (industry),  the  wireless  service  provider,  and  a  private  LAN  are  usually  secure. 
Figure  (18)  also  illustrates  security  firewalls  for  secure  private  networks. 


Ibid. 
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Wireless  channels  are  protected  only  by  data  enciyption,  authentication,  and 
limited  protection  to  elementaiy  attempts  at  jamming,  spoofing,  and  interception. 
Channel  security  characteristics  for  secure  public  communication  ^sterns  are  grouped 
into  categories  shown  in  Table  ( 1).  It  shows  the  ECM  and  ECCM  techniques  used  to 
combat  malicious  attacks; 


Elements  of  Secure  Public  Communications 

ECM 

UTILIZATION 

ECCM 

Detection 

Determine  Presence  and  Activity  ofRF  Signal 

Anti-Intercept 

Location 

Monitor  and  Track  Position  of  RF  Signal 

Anti-Intercept 

Denial  of  Service 

Disrupt  or  Deny  Use  to  Unauthorized  Users 

Anti-Jam 

Ccxinterfdting 

Theft  of  Services  by  Unauthorized  Users 

Encrypted  Authentication 

Decoding 

Obtain  Information  from  Attacker 

Data  Encryption 

spoofing 

Supply  Deceptive  Information  to  Attacker 

spoofing  Security 

Table  1;  Elements  of  Secure  Public  Communications^'* 


33  Ibid. 

34  Ibid. 
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Detection  determines  activity  and  patterns  of  use  and  is  the  first  step  in  employing 
additional  ECM  techniques.  Location  locates  and  tracks  wireless  transmitters  within  the 
network.  Some  programs  locate  a  cell  phone  user  down  to  the  cell  site  and  antenna 
sector  level.  Denial  of  Service  is  used  in  the  public  ^stem  to  disrupt  or  deny  use  to 
unauthorized  users.  Coimterfeiting  results  in  illegal  or  unauthorized  access  to  services. 
Decoding  digital  voice  and  data  is  the  least  important,  because  data  enciyption  methods 
are  well  advanced  and  can  mitigate  this  threat.  Spoofing  security  is  a  developing  area  of 
ECCM  research  and  supplies  deceptive  information  to  an  attacker.  One  example  utility 
is  the  Deception  Toolkit  from  Fred  Cohen  and  Associates.^^ 

B.  LOGICAL  ACCESS 

Anyone  gaining  access  to  a  typical  commercial-off-the-shelf  (COTS)  wired  LAN 
can  potentially  damage  the  network  or  compromise  the  integrity  of  its  information. 
Without  proper  security  measures,  even  airthorized  users  might  gain  unauthorized  access 
restricted  information.  In  WLANs,  wireless  channels  are  shared  by  multiple  users 
creating  the  need  for  a  media  access  control  (MAC)  protocol  to  coordinate  access.  In  the 
open  ^stem  interconnection  (OSI)  model  of  communications  (Appendix  A)  the  MAC 
function  is  a  sublayer  of  the  Data  Link  Layer.  Each  transmitted  packet  contains  a  source 
and  destination  address.  Packets  with  recogniz;ed  destination  addresses  stay  on  the  LAN 
while  unrecognized  packets  are  presumed  destined  for  another  network  and  are 
forwarded.  LAN/WLAN  MAC  protocols  include  random  access  protocols  (ALOHA  or 
Carrier  Sense  Multiple  Detect  [CSMA]),  reservation  techniques  (a  protocol  similar  to 
RTS/CTS  |Request-To-Send/Clear-To-Send]),  or  a  combination  of  the  two  (Time 
Division  Multiple  Access  pDMA]). 

C.  ATTACKS:  LAN  VERSUS  WLAN 

WLANs  possess  the  same  security  problems  as  wired  LANs,  but  new  security 
concerns  emerge  when  using  radio  communications.  Data  transfers  can  be  compromised 
by  sniffers,  radio  frequency  “grabbers”,  and  stray  emissions.  Intentional  or  unintentional 
jamming,  spoofing,  and  eavesdropping  can  degrade  WLAN  security.  New  questions 
emerge:  can  WLANs  exist  side-by-side  without  interference?  Do  they  interfere  with 

Fred  Cohen  and  Associates,  The  Decq)  tion  Toolkit  (http  ^/www  .all  Jiet). 
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other  nearby  radio  frequencies?  How  are  nearby  cell  phone  communications  affected? 
How  do  cell  phones  affect  WLAN  communications?  Many  of  these  threats  to 
communications  security  can  be  mitigated  by  cryptographic  ^sterns  that  encode  data, 
thus  providing  secrecy  and  sender  authentication,  and  by  firewalls  that  stop  electronic 
intrusion. 

Common  LAN  attacks  can  be  grouped  into  four  categories: 

1)  Interruption:  This  attack  makes  LAN  resources  unavailable  by  interrupting 
service.  It  can  be  employed  by  excessively  pinging  the  network  from  an 
outside  Internet  address  or  by  physically  cutting  system  cables. 

2)  Interception:  This  attack  captures  data  about  sender  and  receiver  identities. 
An  example  is  data  that  can  be  used  to  exploit  personal  information  about  the 
user  or  to  use  their  address  for  gaining  access  to  the  network. 

3)  Modification:  This  attack  modifies  captured  data  and  sends  it  to  imsuspecting 
users  to  trick  them  into  performing  actions  that  are  beneficial  to  the  attacker. 

4)  Fabrication:  This  attack  falsifies  an  attackers  identity  to  lure  authorized  users 
into  providing  information  useful  to  the  attacker. 

Of  greater  concern  to  the  wireless  system  are  RF  attacks  between  APs  rather  than 
data  manipulation  of  the  actual  packet.  These  attacks  are  derived  from  traditional 
categories  listed  above  and  are  broken  down  into  more  detailed  wireless  classifications: 

•  Eavesdropping 

•  Transitive  Trust 

•  Infrastructure 

•  Denial  of  Service 

1.  Eavesdropping 

Eavesdropping  occurs  when  an  attacker  uijustly  receives  transmissions  intended 
for  someone  else.  Any  receiver  within  range,  outside  or  inside  of  the  building,  can 
eavesdrop  on  a  message.  The  equipment  required  to  eavesdrop  is  reasonably  priced  and 
authorized  users  cannot  detect  that  the  transmission  has  been  compromised.  Transceiver 
power  and  frequency  band  affect  the  range  where  the  transmission  can  be  heard.  When  a 
transceiver  operating  at  greater  than  or  equal  to  2  MHz  powers  up,  traffic  can  be 
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eavesdropped  Ifrom  outside  of  the  building  unless  special  electromagnetic  shielding  is 
used.^^ 


2.  Transitive  Trust 

Paths  of  communication  that  require  trust  between  nodes  within  the  same  network 
can  be  the  target  of  a  transitive  trust  attack.  Specifically,  if  node  “A”  trusts  “B”  and  B 
trusts  “C”,  then  A  trusts  C.  Often,  A  does  not  know  that  it  trusts  C.  These  relationships 
can  be  bi-directional,  so  the  security  of  a  path  is  equal  to  the  security  of  the  weakest 
node.^^  A  WLAN  AP  is  the  gateway  for  a  transitive  trust  attack.  Once  the  WLAN  is 
fooled  into  trusting  an  attacker’s  computer,  the  attacker  gains  access  to  all  ;^stems 
behind  the  network  firewalls.  Wired  networks  physically  constrain  signals  between 
nodes,  but  there  is  no  way  to  physically  track  wireless  signal  identity  during  transmission. 
The  only  current  protection  is  standard  IP  addressing  or  a  trusted  authentication 
mechanism  between  mobile  assets.^* 

3.  Infrastructure 

Infi’astructure  attacks  are  launched  against  internal  system  weaknesses  including 
software  bugs,  configuration  mistakes,  and  hardware  failures.  These  occur  in  WLANs, 
but  attack  protection  is  almost  impossfljle.  A  bug  is  not  discovered  until  something  bad 
happens,  so  the  only  recourse  is  to  minimize  damage. 

4.  Physical  Denial  of  Service 

WT-ANs  are  vulnerable  to  physical  denial  of  service  attacks.  A  powerful 
attacking  transmitter  can  generate  interference  fi'om  outside  of  the  site  rendering  the 
WLAN  useless.  The  only  complete  protection  is  to  use  the  WLAN  within  a  Faraday  cage 

Sami  Uskela,  in  fWrc/esiZ.oca/i^reaiVe/Vt'orAs  (httpy/www.tcm.hut.fi/Opinnot/Tik- 

110.501/1997/wi^eless_lan.ht^ll#IntegrityandConfidentiality,  Department  of  Electrical  and  Communications 
En^neering,  Helanki  Univeraty  of  Technology,  December  199'^. 

Standard  Department  D^ense  Trusted  Computer  System  Evaluation  Criteria, 
(http//www.radium.ncscmil/tpep/library/rainbow/5200.28-STD  Jitml#HDR6.3,  DOD  5200.28-STD, 
December  1985). 

38  Ibid.,  p.  6. 
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(a  conducting  cage  that  shields  electronic  equipment).  Authorities  can  locate  the 
offending  transmitter  for  as  long  as  the  attack  continues. 

D.  ANALYSIS  OF  TOOLS  WITHIN  THE  WIRELESS  CONTEXT 

The  above  active  attacks  show  possible  weaknesses  of  wireless  networks.  There 
are  many  tools  that  exploit  these  vulnerabilities  and  most  are  free  on  the  Internet. 
Intrusion  detection  tools  are  also  available,  but  require  diligence  in  their  implementation. 
Hacker  and  intrusion  detection  tools  are  discussed  here.  It  is  important  to  understand 
how  they  work,  so  that  less  vulnerable  wireless  networks  can  be  designed.  This  overview 
of  tools  will  further  help  the  reader  understand  the  security  analysis  described  in  the  case 

StU(fy. 


1.  Hacker  Tools  in  WLANs 

Malicious  hacker  tools  evolve  as  network  loopholes  are  discovered.  Their 
proliferation  within  the  wired  LAN  environment  is  testimony  to  their  impending  use 
within  WLANs.  They  may  all  be  used  to  attack  WLANs  and  the  attacker  can  easily  hide 
by  logging  on  remotely.  Some  of  the  better  known  and  therefore  more  frequently  used 
tools  of  the  network  hacker  are  described  below. 

0.  Satan 

The  “Satan”  (Security  Administrator  Tool  for  Analyzing  Networks)  LAN 
administrative  tool  is  powerful  and  ea^  to  use,  but  can  also  intrude  on  and  degrade 
network  security.  It  reports  security  weaknesses  in  networks  by  intruding  the  same  way 
an  attacker  would;  from  a  host  that  is  not  part  of  the  LAN.  An  administrator  can  discover 
many  security  holes  and  repair  them.  Satan  can  make  ^sterns  more  secure,  but  a  site's 
administrators  must  use  and  act  on  its  results  before  an  attacker  does.  A  skilled 
programmer  can  modify  it  making  it  intrusive,  as  the  product  is  distributed  with  complete 
source  code.  It  is  also  user  friendly.  Its  graphical  user  interface  (GUI)  is  so  easy  to  use 
that  less  experienced  hackers  can  operate  it.^^ 


Clinton  Wilder  and  Jason  Levitt,  Cure  Or  Curse?,  (http  •y/wwwjwedk;.com/52 1/2  lnttsat.htm,  April  1995). 
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b,  Back  Office 

Back  Orifice  (BO)  is  a  Windows  95  administration  ^stem  that  allows 
users  to  control  network  machines  remotely.  From  a  remote  LAN  or  the  Internet,  BO 
users  have  more  control  of  a  network  machine  than  the  person  at  the  keyboard  of  that 
machine.  After  self  installation  is  complete  the  executables  are  placed  into  the  ^stem 
where  it  avoids  interference  with  other  applications.  After  system  power  up,  BO  does  not 
display  on  the  task  or  close-program  list  and  reruns  every  time  the  computer  is  started. 

Back  Orifice’s  capabilities  are  numerous.  Network  resources  and  lists  of 
incoming  and  outgoing  coimections  can  be  viewed.  Network  coimections  can  be  created 
and  deleted.  Exported  resources  and  their  passwords  can  be  listed,  created,  and  deleted. 
TCP  ports  can  be  redirected  and  files  uploaded  and  downloaded  on  any  port  using  a  web 
browser.  Files  and  directories  can  be  copied,  renamed,  deleted,  viewed,  and  searched.  It 
also  lists,  creates,  deletes,  and  sets  kQ^s  and  values  in  the  registry.^® 

c,  Internet  Protocol  Sp  o<f  ing 

Internet  Protocol  (IP)  spoofing  hides  a  true  IP  address  on  Ethernet 
networks  while  making  it  appear  to  have  an  entirely  different  address.  Blind  spoofing  is 
available  on  all  other  networks  meaning  an  attacker  cannot  see  which  remote  host  is 
responding.  During  blind  spoofing  the  remote  host  responds  to  the  fake  address.  The 
attacker,  therefore,  never  sees  this  response.'*  * 

d,  LOpht  Crack 

LOpht  Crack  is  a  Windows  95/NT  password  cracker  and  auditing  tool 
created  by  LOpht  Heavy  Industries.  Mg .  V.  Glenn  Schoonover,  Chief,  Network  Security, 
Single  Agency,  Manager  for  Pentagon  IT  Services  stated,  ‘No  kidding,  this  is  one  bad 
tool.  We  ran  this  against  a  base  of  5,000  users  and  it  cracked  passwords  that  had 
previously  been  xmcrackable.”  ^*2 

Jim  Williams,  Hacker  Tools,  (http  //netsecurity  miningco.com/msub  19.htm,  December  1998). 

‘**Ibid. 

Ibid. 


32 


LOphtCrack  2.0  is  shareware  and  was  originally  envisioned  as  an 
experimental  research  tool.  The  trial  period  is  15  days  after  which  the  product  must  be 
registered  for  $50.  A  stripped  down  version  with  source  code  is  available  for  fi'ee. 

e.  NT  Recover/Locksmith 

NT  Recover/Locksmith  accesses  WinNT  computers  through  a  serial 
connection.  It  can  change  the  administrators  password  when  the  original  password  has 
been  lost.  NT  Recover/Locksmith  has  a  100%  success  rate  and  gains  entry  within 
minutes.^3 


/.  Snadbcy  S  Revelation 

Snadboy’s  Revelation  uncovers  passwords  that  Windows  95/98  have 
hidden  behind  asterisks.  Users  can  also  reclaim  previously  deleted  passwords. 
Snadboy’s  Revelation  is  freeware,  but  the  source  code  is  available  for  $150 .00. 

g.  Password  Hacker 

Password  Hacker  is  similar  to  Snadboy’s  Revelation  by  revealing 
passwords  normally  hidden  behind  asterisks.^^ 

h.  Portscan 

Portscan  allows  scaiming  for  open  ports  on  a  host  in  a  specified  port 
range.  For  example,  if  the  host  "microsoft.com"  and  then  the  port  range  from  50  to  150 
are  entered,  the  user  may  get  port  80  in  an  output  text  box.  This  diows  that  a  Web  server 
is  running  on  that  host.^^ 


43  Ibid. 

44  Ibid. 

45  Ibid. 

46  Ibid. 
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I  Snffit 

Sniffet  is  a  packet  sniffer  used  on  UNIX,  Linux,  FreeBSD,  and  Irix 
systems.  It  listens  to  all  TCP/IP  traffic  on  a  subnet,  intercepts  outgoing  and  incoming 
requests  for  Web  documents,  and  decodes  authentication  passwords.  Its  scripts  wrap 
around  the  UNIX  tcpdump  network  debugging  utility  which  comes  pre-installed  in 
UNIX.  These  scripts  will  not  work  on  Windows  or  Macintosh  ^sterns,  because  tcpdump 
is  not  available  on  these  platforms.^^ 

2.  Intrusion  detection  tools 

Intrusion  detection  is  currently  being  used  as  a  panacea  -  a  poor  substitute  for  well 
engineered  solutions.  Previously  described  attacks  cannot  be  countered  without 
knowledge  that  the  attack  is  occurring.  Below  the  most  common  intrusion  detection 
tools  and  their  capabilities  are  described. 

a.  Intruder  A  lert  Version  3. 0 

Intruder  Alert  Version  3.0  “...monitors  and  responds  to  information 
^stem  threats  in  real-time  across  distributed  computing  platforms.”  ^8  it  automatically 
detects  attacks,  unauthorized  activity,  and  network  abuse  Ifrom  both  internal  and  external 
sources.  Intruder  Alert  uses  a  centralized  audit  information  collection  and  audit 
reduction  capabilities.  Intruder  Alert  runs  in  the  Windows  NT  background  and  detects 
real-time  ^stem  events  by  monitoring  audit  logs.  It  then  sends  a  warning  email  to  the 
administrator  and  establishes  secure  commimications  with  the  Manager  component  using 
a  400  bit  DifFie-Helman  key.  Once  authenticated,  an  algorithm  enciypts  the  Agent’s 
communications. 


Ibid. 

Steven  R.Balmer  and  Rett  SiMey,  Intrusion  Detection  Technology  Experiences  with  Axent  Intruder 
Alert,  (Naval  Postgraduate  School,  August  1998). 
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b. 


ISS  REALSECVRE  Version  2.5 


ISS  REALSECURE  is  a  host  based  network  traffic  analyzer  with  a  unique 
attack  recognition  engine.  It’s  components  include  a  console  and  multiple  engines.  The 
console  gathers  information  from  engines  that  are  running  throu^out  the  network. 
These  engines  leave  no  evidence  that  they  are  active.'^^ 

c.  Kane  Security  Monitor  3.13 

Kane  Security  Monitor  watches  the  network  and  provides  an  alarm  for 
intended  intrusion,  obvious  violations,  and  irregularities  in  user  behavior.  It  also 
analyzes  security  event  logs  on  servers  and  workstations.  Kane’s  agent  service  collects 
data  based  on  matched  security  patterns  from  event  logs  and  passes  it  to  an  auditor 
service.  From  his  console,  an  administrator  can  easily  install  an  agent  on  any  NT  server 
or  workstation.^® 

d.  Session  Wall-3 

Session  Wall  is  a  sniffer  that  detects  network  abuses.  It  can  generate  a 
complete  picture  that  sees  the  network  one  packet  at  a  time.  It  only  monitors  the  segment 
to  which  it  is  attached  and  monitoring  of  multiple  segments  requires  installation  of 
multiple  network  cards.  It  is  best  placed  on  either  side  of  the  firewall  or  network  point  of 
entry  to  the  Internet  t 


Lany  Brachfeld,  Jimmy  Francis,  Dan  Morris,  and  Scott  Robin,  Evaluation  (f  RealSecure,  (N aval 
Postgraduate  School,  CS3670,Novanber  1998). 

^®Enno  Busch,  Murat  Akb^,  and  GeoTge¥loros,  Intrusion  Detection  System  (IDI^  Prgect  I  Rq>ort, 
(Naval  Postgraduate  School,  CS3670). 

^  ^  Dave  Hensley,  Katrina  HenriQ',  and  Les  Prior,  Intrusion  Detection  System  Evaluation,  Sessin  Wall-3  by 
AbirNetInc.  (Naval Postgraduate  School,  CS3670,  November  1998). 
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E.  SECURITY  STANDARDS 


HEPERLAN  and  IEEE  802.11  are  two  WLAN  standards  that  present  features  to 
address  security  vulnerabilities.  Many  wireless  products  have  no  security  functions  and 
even  IEEE  802 . 1 1  labels  such  functions  as  optional. ^2 

1.  HIPERLAN 

The  High  Performance  European  Radio  Local  Area  Network  (HIPERLAN) 
standard  is  the  wireless  broadband  access  standard  created  by  the  European 
Telecommunications  Standards  Institute  (ETSI).  This  standard  defines  part  of  the  OSI 
models  physical  and  data  link  layer  (DLL).  The  HIPERLAN  physical  layer  operates  in 
two  frequency  bands;  5. 15  to  5.25  GHz  and  17. 1  to  17.3  GHz.  Equipment  transmitting  in 
the  first  band  may  operate  a  IW  transmitter  and  the  second  band  with  a  100  mW 
transmitter.  A  25  Mbps  bit  rate  at  the  5  GHz  physical  layer  can  operate  on  five  different 
channels  and  can  grant  users  equal  access  to  the  q)ectrum.  This  supports  a  wide  range  of 
applications.  HIPERLAN  equipment  caimot  legally  use  the  two  upper  channels  of  the  5 
GHz  band  in  some  countries. 

The  MAC  HIPERLAN  sub-layer  is  a  decentralized  sub-system  allowing  ad-hoc 
applications.  This  sub-layer  provides  equipment  interoperability  and  ensures  a  level  of 
security  against  casual  eavesdropping.  Connectivity  within  a  single  HIPERLAN  is 
accomplished  at  the  MAC  level  by  special  nodes  called  “forwarders”.  When  a  signal’s 
intended  receiver  is  out  of  range,  forwarders  act  as  extensions  that  relay  packets  on  to 
their  final  destinations. 

HIPERLANs  specifications  European  Telecommunications  Standard  (ETS)  draft 
was  approved  by  ETSI  in  February  1995  with  the  following  properties; 

1)  It  may  be  used  in  pre-arranged  or  ad-hoc  fashion. 

2)  It  supports  node  mobility. 

3)  It  may  have  a  coverage  beyond  the  radio  range  limitation  of  a  single  node. 

4)  It  supports  both  asynchronous  (no  timing  requirement  for  transmission  and  the 
start  of  each  character  is  individually  signaled  by  the  transmitting  device)  and 
time-bounded  communication  using  a  Chaimel  Access  Mechanism. 


52  Ibid. 
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5)  Its  nodes  may  conserve  communication  power  by  arranging  active  reception 

tirnes.^^ 


a.  Encryption-Decryption 

mPERLAN  defines  an  optional  encryption-decryption  scheme.  It  uses  a 
set  of  shared  k^s,  referred  as  the  HIPERLAN  key-set.  Each  k^  has  an  unique  identifier 
and  plain  text  is  ciphered  by  an  XOR  operation  with  a  confidential  algorithmic  pseudo¬ 
random  sequence.  (Figure  ( 19)). 


Figure  19:  HIPERLAN  Encryption-Decryption  Scheme^ 


h.  Protection 

Wired  Equivalent  Privacy  (WEP)  protection  levels  carmot  be  evaluated 
here,  because  they  are  proprietary.  The  HIPERLAN  standard  does  not  define  any 
authentication,  so  WEP  security  should  not  be  trusted  in  sensitive  applications. 

2.  IEEE  802.11 

IEEE  802. 1 1  is  the  WLAN  standard  developed  by  the  Institute  of  Electrical  and 
Electronics  Engineers  (IEEE).  It  resolves  compatibility  issues  between  manufacturers  of 


Ibid. 

5^  Opinnot,  HIPERLAN  encryp  tim-deayp  Hen  scheme,  http  Jlwwv/  .tcm.hut  .fi/ Opiimot/Hk- 
1 10.50  l/1997/images1iiperlan.gif,  1997. 
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WLAN  equipment  and  products  supporting  it  are  alrea(fy  on  the  market,  IEEE  802.11 
defines  the  physical  layers  and  the  MAC  sublayers  for  wireless.  All  physical  layers  offer 
a  2  Mbps  data  rate  at  the  2.4-2.4835  GHz  band.  The  MAC  layer  has  the  following 
features: 

1)  Supports  Isochronous  (imiform  in  time;  having  equal  duration)  as  well  as 
A^nchronous  data. 

2)  Supports  priority. 

3)  Association/disassociation  to  an  AP  in  a  Basic  Service  Set  (BSS)  (a  set  of 
stations  communicating  wirelessly  on  the  same  channel  in  the  same  area)  or 
Extended  Service  Set  (ESS)  (a  set  of  BSSs  and  wired  LANs  with  AP’s  that 
appear  as  a  single  logical  BSS). 

4)  Re-association  with  or  Mobility  Management  to  transfer  association  between 
APs. 

5)  Power  Management  to  save  battery  time. 

6)  Authentication  to  establish  terminal  identity. 

7)  Acknowledgment  to  ensure  reliable  transmission. 

8)  Timing  synchronization  to  coordinate  terminals. 

9)  Sequencing  with  duplication  detection  and  recovery. 

10)  Fragmentation  re-assembly. 

a.  A  uthentication 

IEEE  802.11  defines  two  authentication  schemes:  Open  l^stem  and 
Shared  Key  Authentication.  The  former  is  a  null  authentication,  because  all  mobile  imits 
are  accepted  to  the  network.  For  the  latter,  a  mobile  unit  requests  authentication  and  the 
base  sends  an  encrypted  128  octet  (1024  bits)  random  number  to  it  using  a  shared  key. 
The  unit  decrypts  the  number  using  the  same  key  and  responds.  If  the  base  receives  the 
correct  number,  the  mobile  is  accepted  into  the  network.  All  accepted  mobiles  use  the 
same  shared  key.  Mobiles  carmot  be  distinguished  between  each  other  and  there  is  no 
way  to  authenticate  the  network  by  the  mobile. 

b.  Wired  Equivalent  Privacy 

IEEE  802.11  defines  an  optional  Wired  Equivalent  Privacy  (WEP) 
mechanism  to  ensure  confidentiality  and  integrity  of  network  traffic.  WEP  is  used  at  the 
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station-to-station  level  and  uses  the  RC4  PRNG  (parallel  random  number  generator) 
algorithm.  It  uses  a  40  bit  secret  and  a  24  bit  initialization  vector  (TV)  send  with  the 
data.  WEP  also  includes  an  integrity  check  vector  (ICV),  so  the  receiver  is  always  able 
to  decrypt  the  cipher  text  block.  This  is  illustrated  in  Figure  (20). 


Figure  20:  WEP  Mechanism^^ 


c  Parallel  Random  Number  Generator  Algorithm 

The  PRNG  algorithm  is  proprietary,  but  has  been  studied  in  independent 
research  laboratories  rmder  nondisclosure  agreements.  No  weaknesses  have  been 
reported.  However,  the  secret  key  can  be  revealed  by  using  brute-force  attack  in  two 
seconds  with  tested  $  100,000  hardware  and  0.2  seconds  with  tested  $  1,000,000  hardware 
according  to  1995  Figures.^^ 

F.  CONCLUSION 

Diligent  security  management  is  important  to  both  wired  and  wireless  LANs. 
WLANs  can  take  advantage  of  available  wired  LAN  security  measures  and  add  additional 
features  not  available  in  the  wired  world.  Authentication  mechanisms  may  be  used  over 
IP  to  perform  end-to-end  authentication,  but  this  presents  a  potential  launch  pad  for  an 

Opinnot,  WEP  mechanism,  (http//www.tcm.hut.fi/Opmnot/Tik-l  10.50  l/1997/images^ieee2.gif,  1997). 
Ibid.,  p.  6. 
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attacker.  The  hardware  or  software  based  mechanism  becomes  the  only  security  layer 
between  the  network  and  the  attacker.  The  nature  of  radio  communication  makes  it 
practically  impossible  to  prevent  some  attacks,  such  as  physical  denial  of  service  and 
eavesdropping,  but  if  security  is  considered  while  they  are  being  designed,  then  WLANs 
can  be  more  secure. 
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IV.  ANALYSIS  AND  EVALUATION 


Network  designers  and  administrators  face  many  technology  and  hardware 
options.  Available  technologies,  topologies,  and  vendors  are  analyzed  using  Kiviat 
diagrams.^^  These  diagrams  graphically  display  analyzed  attributes  by  giving  a  logical 
“picture”  of  the  final  evaluation.  A  Kiviat  diagram  consists  of  axes  originating  fi-om  a 
central  point  in  a  circular  diagram.  Each  axis  represents  criteria  pertinent  to  the  analyzed 
category  with  measured  gradients  fi-om  one  to  five.  Each  axis  and  it’s  measurement  are 
defined  prior  to  the  subj  ect  category,  summarized  in  a  table,  and  then  shown  on  the 
Kiviat  graph.  A  perfect  evaluation  yields  a  drawing  similar  to  Figure  (2 1).  Each  sulg  ect 
area  may  differ  in  its  number  of  axes,  but  the  number  of  axes  and  evaluation  criteria  are 
the  same  within  each  category.  As  will  be  explained  in  subsequent  sections,  these 
categories  are  considered  to  be  of  equal  importance.  Therefore,  th^  are  also  equally 
weighted  on  the  Kiviat  scales  to  provide  a  balanced  analysis.  The  evaluation  scope 
begins  with  available  transmission  technologies,  narrows  to  popular  topologies,  and  then 
to  vendor  products. 


9iawnD.  James,  Thinking  Strategical^  about  itf  ormatim-Based  Coiflict:Develq>irganAnafytical 
Approach  to  Operational  Measures  (f  ^ectiveness,  (Naval  Postgraduate  School,  Theas,  Septemba-  1996), 
P.  141. 
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5 


5 

Figure  2 1:  Shaded  Kiviat  Diagram^* 


A.  TRANSMISSION  TECHNOLOGIES 

Narrowband  Microwave,  Infrared,  and  Spread  Spectrum  were  explained  earlier, 
but  further  analysis  of  spread  spectrum  capabilities  is  provided  here.  Spread  spectrum 
signals  are  hard  to  exploit  or  spoof,  making  them  attractive  for  military  use.  Signal 
exploitation  occurs  when  a  non-network  member  listens  to  the  network  and  uses  acquired 
information  for  their  own  advantage.  Spoofing  is  maliciously  introducing  unauthorized 
traffic  into  a  network  under  a  false  address.  Advantages  of  FHSS  over  DSSS  are 
discussed  below.^^ 

•Throughput:  Point-to-point  throughput  is  variable  between  both  DSSS  and 
FHSS  products.  Protocols  for  DSSS  throughput  sacrifice  mobility  and  roaming 
performance,  but  FHSS  provides  greater  power,  signal  efficiency,  mobility,  and  immunity 
from  multipath  interference. 


58  Ibid. 

5^  Proxim  White  Paper,  <jr  Wireless  LAN  Technology, 

http  //www  .proxim  .com/leam/whrteppr/select  .shtml . 
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•Interception:  DSSS  data  is  easier  to  intercept  than  FHSS  data.  Constant  hopping 
of  FHSS  signals  make  it  less  susceptft>le  to  interference  and  interception.  DSSS,  on  the 
other  hand,  uses  simple  spreading  codes  that  allow  mapping  of  transmissions  back  into 
original  data.  Once  an  attacker  is  on  the  DSSS  frequency,  he  need  only  transform  the 
signal  back  to  its  original  form  by  using  an  appropriate  algorithm.  Both  DSSS  and  FHSS 
can  be  supplemented  with  specialized  encryption  devices,  but  this  increases  cost,  weight 
and  power  consumption  of  the  mobile  unit. 

•Power:  FHSS  radios  use  less  power  than  DSSS  and  have  a  practical  limit  of  2 
Mbps.  Direct  Sequences  radios  rate  of  8  Mbps  is  only  necessary  if  high  performance  is 
key,  but  is  more  sensitive  to  interference. 

•Efficiency:  FHSS  can  provide  up  to  four  times  more  network  capacity  than 
DSSS.  In  the  2.4  GHz  band,  the  maximum  number  of  non-overlapping  2  Mbps  DSSS 
channels  is  three  (for  a  total  capacity  of  6  Mbps). 

•Mobility:  FHSS  products  provide  better  mobility,  are  smaller,  lighter,  and 
consume  less  power.  Unlike  DSSS,  FHSS  incorporates  roaming  without  sacrificing 
throughput  and  scalability. 

•Overlapping:  This  is  a  form  of  non-malicious  interference  caused  by  stray 
external  radio  emissions  overlapping  the  network  signals.  DSSS  networks  are 
susceptft)le  to  overlapping,  but  FHSS  networks  can  simply  "hop  around".  FHSS  products 
spend  only  milliseconds  at  each  frequenty.  DSSS  is  not  frequenty  agile.  Products  using 
DSSS  are  set  at  stationary,  preselected  frequencies  and  caimot  avoid  this  interference. 

•Immunity  from  Multipath  Interference:  Multipath  interference  is  caused  when 
signals  bounce  off  of  walls,  doors,  or  other  0I3  ects  so  that  signals  arrive  at  the  destination 
at  different  times.  This  problem  is  automatically  avoided  by  FHSS.  FHSS  simply  hops 
to  a  different  frequency  that  is  not  attenuated.  DSSS  is  not  capable  of  overcoming  this 
effect. 

1.  Transmission  Technology  Evaluation 

All  transmission  technologies  are  evaluated  using  the  following  equally  weighted 
axis  criteria  and  displtyed  in  Table  (2): 

•Resilience  against  active  attacks  - 

•Ease  of  hardware  installation 

•Resilience  against  interference/blockage 
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•Transmission  speed 
•Range  between  nodes 
•Signal  security 


Axis 


Resilience  against  active 
attacks. 


Ease  of  hardware, 
installation 


Resilience  against 
interference/blockage. 


Transmission  speed. 


Range  between  nodes. 


Signal  security. 


Table  2 


Ratio 


Meanin 


Possesses  very  little  protection. 


Possesses  some  protection. 


Possesses  moderate  protection. 


Possesses  good  protection. 


Possesses  complete  protection. 


Very  difficult;  contractor  installation  is  required. 


Difficult;  experienced  personnel  can  accomplish. 


Moderately  difficult;  some  experience  required. 


r.  experience  helpful,  but  not  required. _ 


rience  required. 


Interference  cannot  be  avoided. 


Difficult  to  avoid  interference. 


Interference  avoidable  with  some  installed 
precautions. 


Some  interference  problems,  but  are  avoidable. 


Has  no  int^erence  problems. 


Very  dow. 


Slow. 


Moderately  fast. 


Fast. 


Extremely  fast. 


Very  poor;  must  be  within  a  few  feet  of  the  AP. 


Poor;  must  be  within  same  room. _ 


Average;  AP’s  can  be  in  adj  acent  rooms. 


Good;  must  be  within  same  buildin 


Very  good;  no  range  limitations  when  using 
directional  anteimas  between  buildings. 


Unsecured;  encryption/deciyption  does  not  prevent 
security  intrusion. 


Poor;  encryption/deciyption  may  prevent  security 
intrusion. 


Average;  encryption/decryption  prevents  security 
intrusion. 


Secure;  signal  is  difficult  to  break,  but 
encryption/decryption  is  advised. 


Completely  Secure;  enctyption/deciyption  is  not 
required. 


Transmission  Technology  Axis  Criteria 
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Each  Technology  is  evaluated  in  Table  (3)  and  results  graphically  displayed  in 
Figures  22  and  23. 


Axis  Ratin 


3 


Meanin 


Is  susceptible  to  eavesdropping  and  denial  of  service. 


Professional  installation  necessary  for  FCC  compliance. 


Interference  avoidable  with  FCC  licensin 


Is  a  high  speed  radio  frequency  transmission.  _ 


Is  designed  for  use  between  buildings. 


Encrypted  signal  is  mixed  with  the  carrier  frequen 


Attacks  must  be  initiated  within  the  same  room. 


Ad  hoc  configurations  are  installed  using  COTS  products. 


Blockage  is  unavoidable. 


yfast:  50  Mbps.  _ 


Range  is  limited  to  three  feet.  _ 


ed 


Is  susceptible  to  physical  denial  of  service. 


Requires  basic  installation  skills.  Algorithms  and  FCC 
requirements  are  pre-programmed. 


Can  hop  around  interference.  _ 


Uses  radio  frequencies  at  2  Mbps. 


Must  be  within  same  building;  range  depends  upon 
transmitter  power. 


Hopping  algorithms  can  be  kept  secret. 


Susceptible  to  all  forms  of  attack,  but  its  code  is  easier  to 
break  than  FHSS  algorithms. 


Requires  basic  installation  skills.  Bit  codes  and  FCC 
requirements  are  pre-installed. 


Operates  on  pre-set  frequency;  susceptible  to  nialicious 
transmitters.  _ 


Maximum  8  Mbps  if  using  expensive  “top-of-the-line” 
equipment.  _ 


Must  be  within  same  building;  range  depends  upon 
transmitter  power.  _ 


Bit  codes  can  be  kept  secret,  supplementary  encryption  is 
advised.  _ 


Table  3  ;  Transmission  Technology  Evaluation 
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Figure  22:  Technology  Evaluation 


Figure  23:  Best  Technology 
(FHSS) 


2.  Best  Technology  Analysis 

Both  spread  spectnun  methods  cany  large  volumes  of  data,  but  FHSS  is  superior. 
It  is  scale^le,  mobile,  secure,  can  accommodate  overlapping  networks,  and  is  resistant 
to  intaference.  FHSS  is  the  best  technology  for  2.4  ffllz  wireless  networks. 
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B.  TOPOLOGIES 


Multiple  topologies  have  been  discussed  and  are  all  acceptable  networking 
architectures.  Deciding  which  to  use  is  dependent  upon  how  the  topology  will  be  used. 
Evaluating  each  topology  under  generic  conditions  will  determine  the  best  model. 

1.  Topology  Evaluation 

Wireless  topologies  are  evaluated  using  the  same  axis  criteria  as  defined  for 
transmission  technologies  with  the  exception  of  axis  “d”.  Criteria  for  transmission 
technologies  axes  “a”  through  “c”  and  “e”  throu^  “f  ’  are  directly  related  to  wireless 
topologies  \^diile  axis  “d”  criteria  is  not.  Centrally  shared  resources  are  evaluated  on  this 
axis  as  defined  in  Table  (4): 


Axis 

Rating 

Meaning 

m 

ill 

Use  of  Centrally  Shared 
Resources 

1 

No  access  to  centrally  Glared  resources. 

2 

Access  to  non-centrally  shared  resources. 

3 

Access  to  shared  resources,  but  not  continuous. 

4 

Access  to  shared  resources,  but  not  interactive. 

5 

Continuous,  interactive  access  to  centrally  shared 
resources. 

Table  4;  Axis  “d”  Criteria  For  Topology  Evaluation 


Each  topology  is  evaluated  in  Table  (5)  and  resuhs  graphically  displayed  in 
Figures  24  and  25. 
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Ratin 


1 


Meanin 


Possesses  no  MAC  controls;  susceptible  to  active  attacks. 


Anv  compxrter  can  be  added  to  the  network. 


Has  no  wired  protections  within  the  network. 


Has  no  access  to  centrally  stored  resources. 


Is  susceptible  to  physical  blockage  (walls 


Possesses  no  network  firewall  nor  secure  backbone. 


Possesses  no  MAC  controls;  susceptible  to  active  attacks. 


Anv  computer  can  be  added  to  the  network. 


Has  no  wired  protections  within  the  network. 


Has  access  to  one  BS. 


Is  range  restrictive,  but  the  B  S  reco 


Possesses  no  network  firewall  nor  secure  backbone. 


Securib^;  protective  measures  built  into  wired  segments. 


Access  to  the  wired  BS  requires  configuration. 


Mobile  unit  can  be  handed  off  to  another  cell  if  blocked.. 


Access  to  one  BS  at  a  time;  simultaneous^  access  to 
multiple  mobile  units. 


Communication  with  remote  B  S  via  wired  segments. 


Encryption/deayption  required  on  wired  segmaits. 


Protective  measures  built  into  wired  segments. 


Access  to  the  wired  BS  requires  configuration. 


Interference/blockage  is  easy  at  the  wireless  segments. 


Simultaneous  access  to  multiple  BSs,  but  does  not  know 
^Miich  mobile  stations  are  associated  with  these  BSs. 


Communication  with  remote  BSs  via  wired  segments,  but 
drift  may  occur.  ' _ 


Encryption/decryption  required  on  wired  segments. 


Attack  must  be  initiated  within  the  same  room. 


Configuration  needed  between  mobile  units  and  peripherals. 


Blockage  is  unavoidable. 


Has  access  to  non-centrally  ^ared  peripherals. 


Range  is  limited  to  three  feet  using  inexpensive  equipment. 


Doesn’t  have  a  protected  wire  backbone. 


Table  5:  Topology  Evaluation 
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2.  Best  Topology  Anafysis 

Cellular  topologies  are  the  best  for  general  usage.  It’s  coverage  area  is  adequate 
for  both  small  and  large  LANs  and  network  resources  are  shared. 

C.  VENDOR  TOPOLOGIES 

Commercial  products  are  diverse.  Some  are  specifically  designed  for  small 
offices  while  others  provide  signal  transmission  from  building-to45uildmg.  Each  is 
evaluated  using  methods  simdar  to  those  used  to  anafyze  technologies  and  architectural 
topologies. 


1.  V endor  Topology  Evaluation 

Evaluation  is  limited  to  vendors  that  use  FHSS  with  Cellular-based  topologies 
thus  eliminating  products  not  suitable  for  DoD.  Axis  criteria  for  “b”  and  “d”  are 
identical  to  those  used  for  the  technology  analysis.  Criteria  for  remaining  axes  are 
defined  in  Table  (6). 
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Axis 

Rating 

Meaning 

Compliance  with  IEEE 

1 

Not  compliant  with  known  standards. 

8Q2.il/HIPERLAN 

2 

Compliant  with  standards  other  than  IEEE 
802.11/HlPERLAN. 

3 

Compliant  with  HDPERLAN  only. 

4 

Compliant  with  IEEE  802. 1 1  only. 

III 

5 

IEEE  802.11  and  mP^LAN  compliant. 

B 

System  Management 

1 

Very  difficult;  requires  continual  contractor 
maintenance. 

m 

IS 

2 

Difficult;  requires  scheduled  contractor 
maintenance. 

m 

3 

Moderate;  requires  some  maintenance  experience. 

H 

4 

Easy;  maintenance  experience  not  required. 

wM 

5 

“Hands-off”;  system  maintains  itself  during 
normal  operation. 

Scalability/expandability 

1 

Not  expandable  after  installation. 

M 

2 

Expandable,  but  very  limited. 

3 

Expandable,  but  limited. 

4 

Easily  expandable. 

5 

Unlimited  expandability. 

Compatibility 

1 

Not  compatible  with  any  other  vendor  product. 

2 

Compatibility  limited  to  unacceptable  vendor 
products  OR,  Narrowband). 

3 

Compatible  with  some  vendor  products. 

ki 

4 

Compatible  with  most  acceptable  vendor  products. 

i,4i 

5 

Compatible  with  all  analyzed  products. 

Table  6:  Vendor  Topology  Axis  Criteria 


Each  vendor  topology  is  evaluated  (Table  7)  and  results  graphically  displayed  in 
Figures  26  and  27. 
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Axis  Rating 


Meaning 


Is  IEEE  802.11  and  HIPERLAN  compliant. 


Hardware  installation  difficulty  is  moderate,  but  software 
requires  vendor  configuration.  _ 


Possesses  multiple  software  peripherals  requiring 
experienced  management. 


Provides  for  adequate  bit  rate  at  2  Mbps. 


Easily  expandable  using  software/hardware  from  same 
manufacturer.  _ 


Can  be  used  in  cooj  unction  with  other  maniifacturers,  but  is 
not  specifically  designed  for  this. 


Is  IEEE  802. 1 1  and  HIPERLAN  compliant. 


Installation  is  “plug-and-play”. 


Some  training  involved  for  AP  hopping  pattern 
configuration. 


Provides  a  good  bit  rate  at  3.2  Mbps. 


Expandable  to  62  users  with  15  ovo-lapping  cells. 


Can  be  used  in  cog  unction  with  other  manufacturers,  but  is 
not  specifically  designed  for  this. _ 


Is  TEHE  802. 1 1  and  HIPERLAN  compliant. 


Directional  antenna  installation  required. 


Settings  are  pre-configured. 


Provides  a  good  bit  rate  at  3  2  Mbps. 


Limited  to  bri^e  routing  between  buildings. 


Can  be  used  in  coq  unction  with  other  WLAN 
manufacturers. 


Is  IEEE  802. 1 1  and  HIPERLAN  compliant. 


Directional  antenna  installation  and  configuration  required. 


Some  post  installation  maintenance  required. 


Provides  a  good  bit  rate  at  3 .2  Mbps. 


Unlimited. 


Is  designed  for  compatibility  with  other  vendors. 


T^le  7:  Vendor  Topology  Evaluation 


Figure  26:  Vendor  Topology  Evaluation 


Figure  27 :  Best  Vendor  Topology  (Jaguar) 
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2.  Best  Vendor  Topology  Analysis 


Each  vendor  topology  has  its  strengths  and  weaknesses  and  can  be  used  to  meet 
^ecific  needs,  but  Jaguar  is  the  most  balanced.  It  offers  flexft>ility,  expandability,  and 
vendor  compatibility. 

D.  WLAN  CASE  STUDY:  WIRED  SEGMENT  REPLACEMENT 

This  case  stu(fy  evaluates  security  implications  of  incorporating  wireless 
technology  in  a  standard  wired  LAN  at  the  Naval  Postgraduate  School  (NFS)  in 
Monterey,  CA.  The  LANs  physical  and  logical  organization  are  discussed,  then 
replacement  of  wired  links  with  wireless  is  examined.  The  security  effects  of  each 
substitution  are  investigated. 

Figure  (28)  shows  the  NPS  Token  Ring  LAN  architecture  located  in  a  classroom 
at  Ingersoll  Hall.  It  is  hard  wired  to  the  larger  campus  backbone  that  provides  both 
Internet  and  intercampus  LAN  access.  There  is  a  firewall  between  the  campus  backbone 
and  the  Internet,  but  not  between  the  backbone  and  the  LAN.  Each  LAN  client  runs 
Windows  NT  and  commimicates  with  the  server  and  other  users  via  Multistation  Access 
Units  (MAUs).  These  client  computers  are  assigned  names  (TN3 1,  TN32,  TN33,  etc...) 
for  physical  identification  during  routine  maintenance  and  repair  by  System 
Administrators.  Administration  is  managed  at  the  server,  but  a  System  Administrator  can 
login  using  his  accoxmt  access  fi'om  any  LAN  client.  Most  applications  are  pre-loaded 
onto  the  individual  terminals,  but  some  are  centrally  stored  on  the  server. 

Logical  LAN  organization  uses  domains  to  manage  permission  dat^ases,  groups 
for  assigning  broad  sets  of  permissions  to  multiple  users,  and  user  accounts  to  control 
security  at  each  client.  The  domain  is  a  logical  arrangement  of  LAN  hardware  resources 
referenced  by  a  specific  name.  It  provides  a  single  security  permissions  database  used  by 
all  clients  attached  to  it.  Ingersoll ’s  LAN  is  a  part  of  the  ‘Systems  Management’  domain. 
Groups  are  security  entities  within  the  domain  that  offer  broad  sets  of  permissions  to 
users  assigned  to  it.  It  allows  System  Administrators  to  control  access  to  a  large 
collection  of  users  rather  than  assigning  permissions  to  individual  users.  Users  can  be 
simultaneously  assigned  to  more  than  one  group.  User  accounts  are  referenced  by  user 
names  and  contain  passwords,  permissions,  group  associations,  and  user  preferences. 

The  physical  and  logical  LAN  organization  are  tied  together  when  an  authorized 
user  logs  into  the  system.  The  user  can  login  to  the  network  fi’om  any  client  attached  to 
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the  Systems  Management  domain  by  providing  their  user  name  and  password.  This 
account  information  is  passed  to  the  server  which  authenticates  the  user.  Once 
authenticated,  the  user  becomes  a  part  of  the  network  and  can  use  its  resources.  During 
this  process  users  will  see  the  domain  that  they  are  logging  into,  but  their  group 
association  is  transparent  to  them  and  pre-assigned  by  ^stem  administrators.  The  server 
also  has  an  optional  guest  account.  This  allows  general  access  to  resources  and  can  only 
be  enabled  from  an  administrator  account.  IngersolTs  LAN  administrators  have  disabled 
this  option,  because  it  allows  anyone  to  login  to  the  network  leaving  the  ^stem 
vulnerable  to  attack  by  malicious  users. 

While  attached  to  the  network,  users  can  share  each  others  resources  using  the  file 
transfer  protocol  (FTP).  User  “A”  can  make  his  workstation  the  FTP  server  while  user 
“B”  becomes  the  FTP  client.  Once  “A”  accepts  ‘B”  as  an  authorized  client,  the  FTP 
application  allows  “B”  to  see  and  download  files  from  “A”. 
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Figure  28:  Ingersoll  224  Token  Ring  LAN 


Maintaining  user  mobility  while  retaining  LAN  connectivity  is  desired. 
Replacing  wired  LAN  segments  with  wireless  provides  many  alternatives  for  achieving 
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this  mobility.  Some  options  provide  diversity  as  to  where  different  portions  of  the  LAN 
can  be  installed  while  maintaining  a  wireless  connection  to  the  network.  Other  options 
provide  physical  user  mobility  to  the  client.  Eventually,  although  not  presented  here, 
users  will  be  able  to  operate  within  one  WLAN,  logoff  when  complete,  physically  move 
their  client  to  another  WLAN  in  another  location,  and  login  without  reconfiguring  their 
computer.  The  user  needs  only  to  specify  the  new  domain  fi'om  a  drop-down  menu  and 
login  using  their  account  information.  The  RF  transmission  between  the  laptop  and 
network  AP  would  be  decoded  at  the  AP  with  the  account  information  forwarded  to  the 
server  for  verification.  With  these  options  in  mind,  administrators  may  choose  to  deviate 
from  standard  wireless  network  architectures  and  create  wired/wireless  LAN  hybrids. 
Possible  wireless  segmentation  is  discussed. 

1.  Wireless  Between  User  and  Multistation  Access  Unit 

The  replacement  of  wires  between  users  and  a  MAU  by  wireless  connections  is 
evaluated  first.  The  advantage  of  this  architecture  is  that  it  permits  some  or  all  users  to 
roam  outside  of  the  classroom  while  remaining  connected.  Figures  (29)  and  (30)  show 
this  architecture. 


ingersoll 

Gateway 


Figure  29:  Hard  Wired  LAN  With  Wireless  Users 
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When  logging  into  the  network  the  user  ensures  that  his  drop  down  menu  shows 
the  domain  name  ‘^sterns  Management’.  After  typing  in  his  account  information  the 
user  pushes  “enter”  and  sends  the  data,  via  RF  signal,  to  the  receiving  AP.  The  AP 
translates  the  signal  back  into  binary  code  and  forwards  the  request  to  the  server.  The 
server  acknowledges  receipt  of  the  data,  and  either  accepts  or  rgects  the  user.  If 
authorized,  the  user  j  oins  the  network.  User  mobility  is  maintained  without  weakening 
access  security.  All  communications  between  mobile  units  and  network  resources  are 
still  passed  through  MAUs.  This  configuration  also  uses  fewer  MAU  ports,  thus  fi’eeing 
them  for  other  devices. 

2.  Wireless  Between  Servers  and  Multistation  Access  Units 

A  topology  in  which  wired  connections  between  the  server  and  MAUs  are 
replaced  with  wireless  technology  is  evaluated  next.  The  advantage  for  this  topology  is 
that  it  allows  a  MAU  and  its  attached  clients  to  be  placed  in  a  room  separate  from  the 
server  while  keeping  a  connection  to  the  network.  Figures  (31)  and  (32)  show  this 
architecture. 


Figure  3 1:  Hard  Wired  LAN  With  Wireless  Connection 
Between  Server  and  MAU 
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Figure  32 :  Wireless  Between  Server  and  Multistation  Access  Units 


As  in  the  previous  example,  security  is  not  compromised,  because  access  controls 
are  still  in  place.  Users  must  still  login  to  the  server  and  be  granted  access  prior  to 
entering  the  network. 

3.  Wireless  Between  Multistation  Access  Units 

The  benefits  achieved  by  replacing  wired  connections  between  MAUs  are  few, 
but  notable.  Wireless  connections  between  MAUs  do  not  increase  client  physical 
mobility,  but  offer  user  virtual  mobility.  Connected  users  can  logout,  physically  move  to 
a  different  client  in  a  different  room,  and  login  again  resuming  their  connection  to  the 
network.  Hardware  expense  is  also  saved,  because  wires  don’t  need  to  be  installed 
between  MAUs.  User  login  procedures  remain  the  same.  Figure  (33)  shows  this 
schematic. 
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4.  Wireless  Between  Backbone  and  Ingersoll  LAN 

Replacing  the  connection  between  the  LAN  and  campus  backbone  with 
directional  wireless  antennas  is  evaluated  next.  There  are  cost  savings  in  this  case, 
because  LANs  are  connected  to  the  backbone  without  purchasing  and  installing  wire. 
The  firewall  is  still  located  between  the  backbone  and  the  Internet,  so  overall  security  is 
not  degraded.  Access  within  the  LAN  is  still  handled  by  the  server.  One  concern  is  the 
RF  transmission  being  “in  the  open”.  An  attack  in  the  preceding  examples  have  to 
overcome  physical  obstructions  such  as  walls  and  doors.  The  LAN-to-backbone  wireless 
connection  puts  the  signal  outside  of  the  building  thus  making  it  more  susceptible  to 
exploitation  or  interference,  because  an  attacker  need  not  worry  about  penetrating  the 
building  structure.  Figures  (34)  and  (35)  show  this  architecture. 


Figure  34 :  Hard  Wired  LAN  With  Wireless  Coimection  to 
Campus  Backbone 
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Figure  35 :  Wireless  Between  Backbone  and  Ingersoll  LAN 


5.  Summary 


Each  configuration  has  its  strengths  and  weaknesses.  There  is  no  single  solution 
that  is  {^licable  to  all  WLANs.  Administrators  must  first  determine  their  requirements 
and  thea  decide  which  segments  to  replace.  For  example,  if  all  users  are  using  desktop 
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computers  in  the  same  room,  it  makes  no  sense  to  install  wireless  segments  between 
these  users  and  the  MAUs.  Their  compirters  would  become  theoretically  “mobile”,  but 
their  physical  size  and  weight  would  keep  them  stationary.  After  determining  LAN 
requirements,  an  administrator  can  choose  from  previously  mentioned  vendor  topologies 
or  develop  a  hybrid  of  his  own. 

E.  WIRELESS  LAN  CASE  STUDY:  WIRELESS  SEGMENT  ATTACKS 

Wireless  segment  replacement  has  its  advantages,  but  it  can  also  make  the 
network  vulnerable  to  attack.  FHSS  is  indiscernible  to  unauthorized  receivers,  but  a 
knowledgeable  attacker  who  knows  the  hopping  algorithm  can  decode  the  received 
signal.  Additionally,  an  attacker  can  still  disrupt  the  network  without  knowing  any 
algorithms.  In  either  case,  the  level  of  vulnerability  depends  on  the  network 
configuration.  The  following  are  methods  that  an  attacker  can  use  to  exploit  wireless 
segmentation. 


1.  By-passing  Access  Controls;  F requency  Hopping  Algorithm  Known 

WindowsNT  4.0  user  groups  control  access  to  specific  network  resources.  Figure 
(36)  shows  a  poorly  placed  AP  between  the  server  and  an  extended  resource  such  as  a 
database  located  on  another  machine.  The  server  authenticates  users  prior  to  granting 
access,  but  an  attacking  transceiver  can  transmit  into  the  signal  “cloud’  and  gain  access 
to  the  unprotected  resource.  The  attacker  can  then  enter  the  server  spoofing  the  extended 
resource.  If  the  server  trusts  the  intruder,  the  attacker  can  control  all  services  provided  by 
the  server  and  manipulate  the  network.  Users  can  be  fooled  into  sharing  sensitive  or 
classified  information  and  may  also  unknowingly  log-in  directly  to  the  attackers  tystem 
via  the  server.  Other  unauthorized  actions  include; 
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Figure  36:  By-passing  Access  Controls;  Frequen<y  Hopping  algorithm 

ICnown 


a.  Resource  Exp  loitation 


The  attacker  can  obtain  information  from  the  server  and  use  it  to  his 
advantage.  He  can  download  any  personal  information  about  users  with  authorized 
network  access. 


b.  Falsfy  ing  Itf  ormation 

The  attacker  can  transmit  false  information  to  authorized  network  users. 
This  damages  resource  integrity  and  can  lead  to  cascading  problems  as  users  apply  or 
pass  this  information  to  other  users. 

c.  User  Access  Data 

The  attacker  can  acquire  group  access  data  thereby  gaining  knowledge  of 
which  users  have  the  fewest  access  restrictions.  This  helps  the  attacker  focus  future 
exploitation  on  specific  users  who  have  higher  network  privileges. 

2.  Bypassing  the  Firewall;  Frequency  Hopping  Algorithm  Known 

Figure  (37)  shows  a  directional  anteima  placed  between  Ingersoll’s  LAN  and  the 
campus  backbone.  BCnowing  the  frequent^  hopping  algorithms  allows  an  unauthorized 
transceiver  to  intercept  data  transmissions  between  the  backbone  and  LAN  receiver.  This 
effectively  allows  the  attacker  to  bypass  the  firewall.  Once  inside  the  backbone,  the 
attacker  can  potentially  access  all  network  servers  within  NFS.  It  can  also  receive  and 
send  data  throu^  all  connections  accessed  by  Ingersoll’s  LAN. 
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Figure  37:  Intrusion  Inside  the  Firewall;  Frequency  Hopping  Algorithm 

Known 


3.  Direct  Connection  to  Wireless  Users;  F requency  Hopping  Algorithm 

Known 

Figure  (38)  shows  an  unauthorized  transceiver  gaining  direct  access  to  wireless 
network  users  while  circumventing  both  firewall  and  server  access  protection.  This 
allows  the  attacker  communication  with  users  and  possibly  IP  spoofing  to  implement  a 
transitive  trust  attack.  Using  another  user’s  IP  address  the  attacker  fools  an  authorized 
user  into  logging  into  the  attacking  system  by  luring  the  victim  into  believing  the  attacker 
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is  the  server.  This  method  also  allows  the  attacker  to  trick  the  server  into  thinking  that 
the  intruder  is  a  valid  user.  These  attacks  are  initiated  using  a  couple  of  techniques. 


Figure  38:  Direct  Connection  to  Wireless  Users;  Frequency  Hopping 

Algorithm  Known 
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a. 


Direct  User  Connection 


This  method  allows  direct  connection  to  users  by  “dialing”  into  their 
machines.  With  a  spoofed  IP  address,  the  attacker  sends  a  signal  directly  to  the  user 
requesting  an  FTP  connection.  After  the  unsuspecting  user  accepts  the  intruder  as  a 
fellow  authorized  user,  the  attacker  has  control  of  the  user’s  files.  Subsequently,  the 
attacker  can  use  the  compromised  machine  to  gain  access  to  server  resources  posing  as 
the  victim  user. 

b.  Indirect  User  Connection 

This  requires  the  attacker  to  gain  access  to  the  server  first  and  then 
communicate  with  a  user  while  presenting  himself  as  another  valid  network  user.  The 
initial  RF  signal  is  sent  directly  to  the  AP,  is  passed  onto  the  server,  and  is  accepted  using 
a  spoofed  IP  address.  The  attacker  can  then  conununicate  with  any  network  user.  The 
valid  user  doesn’t  suspect  the  intrusion  because  it  believes  the  attacker  to  be  valid. 

4.  IP  Spoofing  Between  Multistation  Access  Units;  Frequency  Hopping 

Algorithm  Known 

Figure  (39)  shows  an  attack  on  transmissions  between  MAUs.  This  doesn’t 
provide  direct  RF  access  to  users  or  servers,  but  allows  manipulation  of  data  being  passed 
between  LAN  portions.  With  enough  illegally  confiscated  data,  the  attacker  can  initiate  a 
number  of  attacks  posing  as  other  users. 


71 


Figure  39:  IP  Spoofing  Between  MAUs;  Frequenty  Hopping  Algorithm 

Known 


5.  Denial  of  Service;  F requency  Hopping  Algorithm  Not  Known 

Figure  (40)  shows  transceivers  attacking  all  wireless  sections  of  the  network. 
Without  knowing  the  FHSS  hopping  algorithm,  the  attacks  can  transmit  enough  power  to 
override  authorized  signals.  This  nullifies  valid  transmissions  and  renders  the  network 
physically  useless  for  the  duration  of  the  attack. 


72 


Figure  40;  Denial  Of  Service;  Frequency  Hopping  Algorithm  Not  Known 


F.  WIRELESS  LAN  CASE  STUDY;  DETECTING  THE  ATTACKER 

The  previous  examples  show  how  an  attacker  can  exploit  the  network.  Detecting 
these  attacks  requires  diligence  and  an  understanding  of  how  the  network  is  mapped. 
Using  WindowsNT  4.0  server  manager  a  systems  administrator  can  “see”  all  users  who 
are  online  and  which  workstations  they  are  using,  but  this  doesn’t  provide  information 
about  malicious  attacks  launched  by  wireless  invaders  from  outside  of  the  network.  Two 
methods  for  detecting  unauthorized  wireless  intrusions  are;  using  software  sniffers  and 
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using  hardware  transmitter  detectors.  This  section  will  provide  a  synopsis  of  possible 
ways  to  defeat  attacks  specific  to  wireless  networks.  It  does  not  provide  a  survey  of  all 
tools  available  for  this  detection,  but  rather  two  possible  technologies  to  combat  such 
attacks. 


1.  Software  Sniffers 

Sniffers  are  more  important  to  WLANs,  because  misuse  of  the  network  is  easier. 
This  is  due  to  the  fact  that  access  to  the  transmission  medium  is  not  as  physically 
controlled  as  it  is  in  hard  wired  LANs.  Intrusion  detection,  discussed  in  previous 
sections,  uses  software  tools  that  look  for  irregular  data  packet  transfers  between  nodes. 
This  irregularity  is  determined  by  the  type  of  attack  being  initiated.  These  applications 
may  detect  when  an  unauthorized  user  has  hacked  into  the  network.  If  the  network  sniffer 
detects  an  irregularly  named  user,  then  that  user  may  be  accessing  the  network  in  an 
unauthorized  capacity.  For  example,  users  might  be  online  using  only  three  terminals, 
TN26,  TN27,  and  BERTHA.  Suppose  that  BERTHA  is  not  a  name  assigned  to  any 
authorized  workstation.  The  user  may  be  using  an  authorized  user  name  and  password 
with  an  unauthorized  workstation,  or  may  have  simply  foimd  a  way  to  hack  into  the 
network  using  a  spoofed  user  name  and  password.  These  conditions  are  the  same  for 
wired  and  wireless  networks.  The  attacker  must  still  access  the  LAN  via  an  AP,  so  the 
network  administrator  can  detect  the  intruder  at  this  choke  point.  Then  other  methods 
specific  to  wireless  can  be  employed  to  locate  the  attacking  transmitter. 

2.  Hardware  Detector  Detectors 

Locating  an  attacking  transceiver  can  only  begin  after  an  ongoing  attack  has  been 
detected.  As  described  in  the  previous  section,  packet  sniffing  can  be  used  to  detect 
imauthorized  activity  on  the  LAN.  To  accomplish  an  attack  the  intruder  has  to  be 
transmitting  a  signal  into  the  LAN’s  AP.  Devices  are  available  that  can  track  the 
intensity  of  and  the  direction  fi’om  which  a  signal  is  generated.  An  attacker  who  is 
passively  listening  to  data  transmissions  between  mobile  nodes  and  LAN  APs  can  also  be 
tracked.  In  order  to  receive  and  use  an  FHSS  signal  the  attacker’s  receiver  must  be 
receiving  the  signal  at  the  same  frequencies  that  the  carrier  signals  are  using.  Once 
captured,  the  attacking  receiver  decodes  the  signal  into  usable  data  with  an  internal 
oscillator  that  tunes  to  the  received  signal  frequency.  This  oscillation  causes  leakage 
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current  detectable  using  inexpensive  tracking  receivers.  These  receivers  may  be  large 
and  very  sensitive  or  small  and  dedicated  to  picking  up  leakage  current  from  very  small 
coverage  areas.  Such  receivers  can  be  created  using  equipment  purchased  from  any 
electronics  store.  Once  this  frequency  leak  is  detected,  the  direction  from  whence  the 
attack  is  emanating  is  determined  and  the  intruder  can  be  located.  These  leakage 
detection  receivers  have  been  used  by  television  movie  subscription  companies  for  over 
15  years  to  track  unauthorized  reception  antennas  mounted  on  homes  and  offices.  They 
are  not  currently  provided  by  makers  of  wireless  products,  but  could  be  included  in  the 
arsenal  of  intrusion  detection  tools. 
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V.  CONCLUSION 


Wireless  LANs  will  eventually  be  a  common  alternative  to  the  wired  LAN. 
Wireless  networking  is  a  rapidly  emerging  technology  and  security  must  be  addressed  as 
it  is  incorporated  into  new  and  existing  networks.  What  are  the  unique  properties  of 
wireless  LANs  that  might  amplify  existing  LAN  vulnerabilities  or  introduce  new  ones? 
This  study  began  with  the  review  of  available  technologies.  Wireless  transmission 
techniques,  topologies,  and  vendor  offerings  were  surveyed  from  a  security  perspective. 
This  information  was  graphically  displayed  using  Kiviat  drawings  to  show  symmetric 
comparisons  of  each  analysis  category.  FHSS  transmission  technology,  cellular  topology, 
and  the  Jaguar  product  emerged  as  the  best  approaches  available.  These  results  were 
applied  to  a  case  stucfy  that  examines  network  wired  segment  replacement  options, 
wireless  segment  attacks,  and  methods  to  detect  an  attacker. 

Future  wireless  networks  should  provide  ea^  connectivity  between  authorized 
clients  and  the  network  with  which  they  are  associated.  These  ^sterns  must  be  built  to 
be  secure  from  the  ground  up.  Pushing  vulnerability  mitigation  to  the  final  phases  of 
development  will  leave  security  loopholes  that  are  impossible  to  close.  Hardware 
encryption/decryption  devices  are  not  used  by  most  products,  but  software  encryption 
exists  in  the  form  of  transmission  algorithms.  Leakage  current  detectors,  discussed  in 
Chapter  Four,  should  also  be  designed  for  WLAN  system  compatibility  and  then  sold  as 
an  intrusion  detection  tool.  This  would  alleviate  problems  associated  with  the  passive 
attacker  who  uses  a  receiver  to  intrude  on  a  WLAN. 

Wireless  replacement  segments  for  wired  networks  are  recommended  where  user 
mobility  is  desired,  ^stem  administrators  have  many  technology  options  from  which  to 
choose.  With  a  solid  knowledge  of  available  technologies  and  topologies,  suitable 
vendors  can  be  chosen  to  provide  the  right  equipment  to  meet  the  WLAN  needs  for  any 
organization.  Current  standards  offer  guidance  that  show  how  wireless  technologies 
operate,  but  do  not  relate  to  quality  LAN  design. 

The  analysis  provided  in  this  paper  is  one  approach  to  quantifying  technology  and 
product  advantages.  These  metrics  are  imiversal  in  their  application  and  can  be  tailored 
to  measure  the  strengths  and  weaknesses  of  various  wireless  networking  components. 
With  proper  planning  and  sensible  decisions,  a  WLAN  administrator  can  successfully 
introduce  wireless  technology  to  a  LAN  while  maintaining  its  previous  level  of  security. 
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APPENDIX  A.  ABBREVIATIONS 


AP  -  Access  Point 

ATM  -  A^chronous  Transfer  Mode 
BER  -  Bit  Error  Rate 
bps  -  bits  per  second 

BSS  -  Basic  Service  Set;  A  set  of  stations  communication  wirelessly  on  the  same  channel 
in  the  same  area,  (in  IEEE  802 . 1 1) 

CA  -  Certificate  Authority 

CAC  -  Channel  Access  Control  (in  HIPERLAN) 

CAM  -  Channel  Access  Mechanism  (in  HIPERLAN) 

ESS  -  Extended  Service  Set;  A  set  of  B  SSs  and  wired  LANs  with  Access  Points  that 
appear  as  a  single  logical  BSS.  (in  IEEE  802. 1 1) 

ETR  -  ETSI  Technical  Report 

ETSI  -  European  Telecommunications  Standards  Institute 

GSM  -  Global  l^stem  for  Mobile  communications 

HIPERLAN  -  High  PErformance  Radio  Local  Area  Network 

HM-entily  -  HIPERLAN  MAC  entity 

ICV  -  Integrity  Check  Vector 

IEEE  -  Institute  of  Electrical  and  Electronics  Engineers 

ISO  -  International  Standard  Organization 

rv  -  Initialization  Vector 

LAN  -  Local  Area  Network 

MAC  -  Medium  Access  Control 

MPDU  -  MAC  Protocol  Data  Unit 

PEM  -  Privacy  Enhanced  Mail 

PHY  -  Physical  layer 

PRNG  -  Pseudo  Random  Number  Generator 

SECCS  -  Shared  Key  Cryptography  ^stem 

UMTS  -  Universal  Mobile  Telecommunications  System 

WEP  -  Wired  Equivalent  Privacy 
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APPENDIX  B.  DEFINITIONS 


Ad-hoc:  In  ad-hoc  configuration  the  wireless  LAN  has  no  fixed  components 
Authentication:  The  identification  of  the  parties  base  Usually  fixed  base  station  of  the 
wireless  LAN,  sometimes  referred  as  Access  Point 
Cipher  text:  The  data  after  ciphering  confidentiality  Only  intended  parties  can  access  the 
data 

Coverage:  The  area  where  the  transmission  of  the  node  can  be  heard 

Denial  of  service:  An  attack  preventing  the  system  from  being  used 

Eavesdropping:  Capturing  the  data  by  an  unintended  party 

End-to-end:  From  the  sending  node  to  the  intended  receiver 

Integrity:  The  message  can  not  be  modified  or  replaced  by  unintended  parties 

Key  management:  The  policy  to  distribute  and  save  the  private  and  public  keys 

Plain  text :  The  data  to  be  send  before  ciphered 

Pre-arranged:  In  pre-arranged  configuration  the  wireless  LAN  has  some  fixed 
components,  like  bases 

Private  key:  A  sensitive  key  that  must  not  be  compromised 

Public  key:  A  non-sensitive  that  can  be  published 

Shared  k^:  A  secret  k^r  common  to  many  users  or  network  nodes 

Station-to-station:  From  one  node  to  the  next  one  in  the  network 

Transitive  trust :  An  attack  exploiting  the  host-host  or  network-network  trust 
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APPENDIX  C.  OSI  MODEL  LAYERS 
OSI  Layer  Function  Provided 


Application 

Network  applications  such  as  file  transfer  and  terminal  emulation 

Presentation 

Data  formatting  and  encryption 

Session 

Establishment  and  maintenance  of  sessions 

Transport 

Provision  for  end-to-end  reliable  and  unreliable  delivery 

Network 

Delivery  of  packets  of  information,  which  includes  routing 

Data  Link 

Transfer  of  units  of  information,  framing,  and  error  checking 

Physical 

Transmission  of  binary  data  of  a  medium 
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